Bring your brains, leave the attitude.

TA B L E O F C O N T E N T S
1
WELCOME TO DEFCON
THE NETWORK @DEFCON
PAGE
3
4
WI-FI SHOOTOUT
TOXIC BBQ
PAGE
19
19 t
0
A N I G H T AT T H E M O V I E S 5 THE NIGHT BEFORE DEFCON - A POEM 20
TCP/IP DRINKING GAME 6 BOOKSIGNINGS 21
HACKER JEOPARDY 7 ROBOT WAREZ CONTEST 22
PGP KEYSIGNING 8 SPEAKERS LISTINGS ARE ALPHABETICAL BY LAST NAME 23-30 & 33-55
BEVERAGE COOLING PAPER ENIGMA 31-34

1
CONTRAPTION CONTEST 10 T U N E I N - T V & R A D I O I N F O R M AT I O N 55
CAPTURE THE FLAG 11 BLACK & WHITE BALL 56
TCP/IP APPLIANCE CONTEST 12 S P E A K I N G S C H E D U L E - D AY 1 57
DEFCON BY PHONE 12 MOVIE CHANNEL 58
DEFCON FORUMS MEETING 13 S P E A K I N G S C H E D U L E - D AY 2 59

0
WARDRIVE 14 NOTEWORTHY 60
QUEERCON 16 S P E A K I N G S C H E D U L E - D AY 3 61
LPCON3 - LOCKPICKING CONTEST 16 VENDORS 62
COFFEE WARS 17 D U N K TA N K 62
A M AT E U R C T F : K I N G O F T H E H I L L 17 MAP 63
SPOT THE FED 18 SHOUT OUT BACK COVER

2
13 0b1101 XIII 0xD 200
WELCOME TO DEFCON 13

thirteen 13 XIII 200

Some say thirteen is an unlucky number, but I view it more as a transitional number. It can mean
good or bad things. Plus there is no empirical evidence it is an inherently evil number, so fuck it.
This year team DEFCON has brought you a great line up of speakers, when you first associate to the network. From there you will get hourly
contests and events. Whether you are competing or just watching and updates of schedule changes, contest results, RSS feeds, and any anything
learning I encourage you to get involved. Everyone makes a difference, else we feel like sharing. Phear the new WiFi a/b/g power!

0b1101 0xD 13 0xD X

and what you get out of DEF CON is up to you. An epiphany or a If you have questions or need help, just look for a “Goon” in a red shirt.
hangover, through Sunday night your mission is to enjoy yourself. They are your friends, and are here to help. Different groups of staff at
There are some exciting talks this year, and I’m telling you right now you DEF CON have different color shirts depending on what they do, but the
won’t make it them all. There are too many of them! The schedule is red shirts are there for the attendees.
loosely built around different topics, and some of the well known When walking around the hotel with its new layout, don’t forget to stop

13 thirteen XIII 200

speakers are up against each other. If you can hack your way into a room by the Info Booth where you can ask questions, learn about speaking
at the AP, youíre in luck. The speeches will be on hotel TV again this year. changes and turn in or ask about lost items.
This year there is an all new wireless network infrastructure. After saving Too much happens for me to tell you, I don’t even know myself until I get
money from the past few cons I spent a chunk of it on top of the line home and read about it all on-line. Speaking of which, after you have
Aruba gear and plenty of access points. We’ll need them in the years to recovered take time to check out forum.defcon.org, www.defconpics.org
come, and we may as well start playing with them now. Hacked up

0xD 13 0b1101 thirtee

and of course www.defcon.org. Share your pictures, post your stories, and
WAP11s are a thing of the past. To take advantage of all this new gear we download the presentations and music.
doubled our bandwidth to 3MBit, and are doing some basic rate limiting
and filtering to keep things rolling. There will be a captive portal page

The Dark Tangent

P.S. Check out the closing ceremony to see who won what, and how they did it!

3
 THE NETWORK @ DEFCON
SSID: DEFCON
Hope you brought your wireless card! This year we’ve gotten new Now…imagine being dropped into
equipment (Thanks DT!) and we’re now offering 802.11 a, b, & g for the middle of a desert and given 3
breakfast, lunch, and dinner! days to setup a solid network for a
group of 5,000 hackers, secret
Net access is available in any of the public areas—the Parthenon
agents, and fanny-pack carrying
complex, speaking rooms, tent, hotel lobby, bar area, and pool 1.
citizens. Plus keep it running! We just
Rogue AP’s? Never, not at DefCon! But just in case someone gets a want to give shout-outs to the folks
crazy idea, check http://updates.defcon.org – we’ll post the MAC who make it happen, and spend
addresses of the official DefCon AP’s – anything else just isn’t worth several months planning this beast.
your time! Some are new to the network team,
some have dedicated their adult lives
In addition to that, we’ve doubled our bandwidth this year; we’ve got to it: Lockheed (10 yrs), Heather
a 3Mb connection to the evil Internet. Remember to share! (4yrs), Videoman (5 yrs), N8 (5 yrs),
Big props out to the guys from Rant Radio – this is their second year in Connor (2yrs), Derek (2 yrs), Sqweak
charge of the DefCon TV and the stuff you see on-screen (ticker (2yrs), Skyroo (1 yrs), Major
updates, etc). Derek’s taken charge of things, re-designed the flux Malfunction (7 yrs)
capacitors this year, and provided a lot of cool back-end stuff.
Together with AgentX providing the RSS feeds, we’ve done a lot this Cheers!
year to make sure you guys get the last-minute schedule changes as
easily as possible!

4
The Dark Tangent exposes you to movies and video clips that he has found
amusing over the past year. You may have seen some of these before, but
now is your chance to grab a drink and chill out from the con and watch one
with your friends. No friends? Well make some here. This year it is all Shirow,
all of the time. Did I mention I like Shirow?

MOVIE ONE: Appleseed 2004 version

“If you can’t kill yourself, build something to do it for you.”

In years past we have brought you such goodies as Primer, Shaolin Soccer, and
Equilibrium. This year I bring you a re-envisioned telling of Masamune Shirow’s
classic “Appleseed” done in CG 3-D rendering. Released in Japan in 2005, it is
now available in English and is essentially a condensed version of the first
Appleseed book. There were 4 books made, with Dark Horse releasing them in the States. I’m
still waiting on book five, as is the rest of the fan base. I remember reading Appleseed
comics in High School and dreaming of the future. The future isn’t all that
cool right now, but at least this movie is. 105 minutes.

MOVIE TWO: Ghost in the Shell 2: Innocence

GITS 2, not to be confused with GITS SAC (Stand Alone Complex) or GITS
SAC 2nd GIG (The second season of GITS SAC) is the follow on to the first
Ghost in the Shell. While it has nothing to do with the comic book series
GITS, GITS 1.5 and GITS 2, it does provide excellent eye candy. While it is a bit
slower than the first one, delving a bit too much into the metaphysical babble,
the imagery and texture is very rich. The artwork at times is awesome, and I was
left with the feeling that the animators and artists were showing off their skillz.
Unfortunately this has not been released yet with an English audio track, so it will
be subtitled.

If you watched Avalon with us last year, look for the same dog in GITS 2. It’s
modeled after the director’s much beloved dog. 89 Minutes.

VIDEO CLIPS: Stand Alone Complex

“We are Soldiers, Stand or Die” About 70 Minutes.

If people are interested, three episodes from the first season of Stand Along
Complex will be played. Don’t worry; the audio track is in excellent English. I’ll try
and pick three action oriented episodes. While SAC ended a couple years ago, and
SAC 2nd Gig ended last year, we in the States are just finishing up SAC on the
Cartoon Network. Keep your eyes open for 2nd Gig next year.

A N I G H T AT T H E M O V I E S
5
 TCP/IP DRINKING GAME
Like anything with ‘Drinking Game’ in its title, one of In the question posed by the audience member, for each term that is directly relevant (moderators call)
the primary objectives is to drink. to TCP/IP networking, a drink to the panel is accrued. If a picture is worth a thousand words, an example
For this game you will need: at this point is worth 6 drinks (in this case):

• 1 Master of Ceremonies / Moderator for the Q: In a TCP packet, if the SYN, FIN, ACK, URG, and PUSH flags are all set what is this
Game (Dr. Mudge) packet commonly referred to as?
• 1 Panel of self or industry proclaimed experts In this case we count ‘TCP packet’ and each one of the flags listed explicitly as a drink. The panel or the
on TCP/IP internals panelist (moderators choice, though usually I’ll loosen up the whole panel at the beginning of the game
• (5 has proven itself to be a good number of and then by making us all consume and then backing off to individuals as the game goes on) must
panelists) consume 6 drinks for this question.
• 1 Rowdy audience of “Hackers” (easily found The answer to the question above would be a Christmas Tree Packet. If the panel or panelist does not
at DefCon or other Hacker conferences) know, or cannot come up with the answer much drinking ensues.
• 4-5 Cases of beer
This is the first stage of the game. In later stages of the game the panel or panelist can negate drinks
• Some pretty sturdy livers...
that are accrued in the question. If the panelist were to answer the previous question with something
The general premise of the game is simple. The along the lines of:
audience proposes questions directed to the panel A: Having the SYN, FIN, ACK, URG, and PUSH flags set in a TCP packet is often referred to
or directed to an individual on the panel. The as a Christmas Tree Packet. However, it would be more appropriate to include the two
questions should be something the audience reserved flags for explicit congestion notification in addition: ECN-Echo, and CWR
member actually wants an answer to. After all, part (congestion window reduced).
of the Hacker-ethic is to take any opportunity that
The person answering the question has the ability to reduce the number of drinks already accrued in the
presents itself to LEARN (the MC is responsible for
asked question by using explicit TCP/IP and network related terminology in their response.
somewhat attempting to enforce this).
It starts going down-hill from here... And hopefully this time DT won’t schedule the TCP/IP Drinking
Game in the Morning again <grin>.

6
H A C K E R J E O PA R D Y X I
Hacker Jeopardy is back! For its eleventh year!
As usual, Hacker Jeopardy will be in the Outdoor Tent. The festivities begin
at 22:00 on Friday, but people will be allowed in at 9:45PM.
Of course, we’ll have the second night too, starting at the same time
on Saturday.
If you’re interested in submitting a team, go to the Contest Area in Athena
and find the sign-up sheet. If you’re interested in donating prizes to be given
away during Hacker Jeopardy, you’re able to drop them off at the NOC.
There will be plenty of prizes for the audience, good tech questions,
plenty of booze, and a brand new Vinyl Vanna. Members of the winning
team will take away a coveted DEFCON leather jacket.So don’t miss out!

7
 PGP KEYSIGNING WITH THE DARK TANGENT

Sign a PGP key today, starting with mine. The second annual PGP Keysigning. The goal is to increase the hacker web of
trust with as little effort as possible. To do
I know that sounds selfish, but hey, you’ve got to be proactive about these things! this you should take a few steps in
What I want to do is to revive the PGP party at DEFCON in a new streamlined fashion. advance:
With the advent of PGP key servers, such as pgpkeys.mit.edu, there is no need to do the 1. Make sure your PGP key is valid
floppy shuffle. All you need is the key ID and fingerprint of the person’s key you want to and the one you want to use.
sign. You search for that key on the key servers, and if the two match you are sure it is Once people start signing it, it’s
the right key for the right person. a pain to discard it and start
over.
PGP, and when I say PGP I also mean GPG, is a great security tool. But like any tool you
2. Submit your key to
have to use it properly to get the most out of it. In the case of PGP it comes down to a
keyserver.pgp.com. There are
strong pass phrase, keeping your secret key file to yourself, and creating a web of trust.
many others, but for ease of use
To create that web of trust you need to sign other people’s keys, and have yours signed we’ll pick just one for now.
as well. This has always been a pain in the ass because of the logistics of swapping 3. Print cards with your key ID and
floppies, etc. fingerprint. It would help to
add your name or email address
To help facilitate this I have created a template for OfficeDepot micro-perf business as well so people can remember
cards. Use the template, and fill in your email address, key ID and fingerprint. Add a who you are when it comes time
picture if you want. Then print a bunch of these out, and bring them to the con. Look for them to sign your key.
for the PGP key exchange on the schedule, and show up to swap fingerprints with
others. Heck, just hand them out all during con.

Download the template here:

http://www.defcon.org/dtangent/pgp-card-template.doc
http://www.defcon.org/dtangent/pgp-card-template.sxw

8
W H E N : J U LY 3 0 , 1 6 : 0 0 - 1 8 : 0 0
W H E R E : AT H E N A - AT T H E I N F O B O O T H

Once you have handed out your card and Now it is time to check to see if anyone OK, now that you have read this, go sign
collected some from others it is time to has signed your key. my damn key! I’ll sign yours as well if I am
process them after the show. 1. Select your key and perform an sure you are who you say you are!
1. Search keyserver.pgp.com for update command. You will see My PGP Key:
the key id of the key you want your key that is found on the The Dark Tangent (RSA 2048)
to sign, and import it to your key servers. <[email protected]>
public key ring. 2. Import it to your public key ring, Key ID: 0x308D3094
2. Sign that public key, and make and see if there are any new PGP Fingerprint: D709 EAEB E09E DFC3
sure to select Allow signature to signatures on it. E47F 87AF 0EBE 0282 308D 3094
be exported. This allows others Just to stay current it is a good idea every
to rely on your signature. couple of months to update your own key,
3. Send the signed key to the as well as the keys of others. On the
keyserver. On the graphical commercial PGP version you just select all
version of PGP for Windows or the keys on your keyring and perform an
OS/X this is done using the send- “update” command. It will go through all
to command. Highlight the of your keys one at a time updating them.
newly signed key and send-to
If you have to revoke your key it is polite
the server keyserver.pgp.com. It
to submit the revocation to the key
synchronizes the key you have
servers so others know not to use that
with the key on the keyserver.
key anymore.
4. You are all done! The owner of
the key can now check to see if
you have signed their key.

IMA
GE
COU
RTE
SY O
F ZON
EH

9
 BEVERAGE COOLING
CONTRAPTION CONTEST
In March of this year, the program MythBusters on the Discovery Channel featured an
episode in which Jamie Hyneman & Adam Savage set about finding the fastest way to cool
a six-pack. While they accomplished their goal by dousing cans of beer with the output of
a CO2 fire extinguisher, their efforts at constructing actual devices to rapidly cool a
beverage were less than successful. We’d wager that DefCon attendees could design and
build beverage cooling contraptions that would blow the MythBusters away.

Think you’ve got what it takes to rapidly cool a cocktail? Then sign up for the
Beverage Cooling Contraption Contest and put your hardware hacking skills to
the test. There will be two categories of competition: cooling a beverage while
it is still in its original, factory-sealed container & cooling a beverage which has
been opened and poured out of its can and (ultimately) into a glass. The goal is
to design a self-sufficient contraption which will cool a beverage to 38 degrees
Fahrenheit as quickly and efficiently as possible without spending more than
$100. For more information, check out http://deviating.net/bccc.

The contest will take place poolside on Saturday afternoon.

Check with the DefCon Info booth for details on the specific time and location.

10
CAPTURE THE FLAG
kenshoto is proud to present the WarGamez hacking Who Is Playing?
contest. Our unique take on “Capture the Flag” is far Last year’s winner, Sk3wl0fR00t, is
automatically qualified. Of the 120+
more über than anything that has come before it.
entrants into the qualifying round, only
Come behold the spectacle as you watch uber-nerds the following weren’t totally lame:

competing in knock-down, drag-out cyber-ninja Teams:

• Darwin’s Bastards
warfare. This year, there will be far more real-time
• Digital Revelation
game data to keep spectators from getting bored. • Plan B
• Defconhackers
Seven teams and eight individuals will compete to be
• Shellphish
the 1337357 of the 1337. In order to prove their f00, • packet_loss
they will need to find and exploit vulnerabilities in
Individuals:
custom software. This ain’t no place for nessus—check • individual
your k1dd13 t00lz at the door. Teams will also have to • tenos
defend a machine running all of these crappy services. • stejerean
• structure
Those who can’t reverse a binary, dream in asm, or • atlas
stay in between the lines while coloring registers in • cangaceiros
the dark, will be excellent target practice for those • plato

who can.

Winners will be announced Sunday at DEFCON’s

closing ceremony.
11
 TCP/IP APPLIANCE CONTEST
Net-enabled devices have become more of a reality than fiction as computing power has increased and DEFCON BY PHONE
costs have decreased. Right now the industry is working on net enabling your home whether it’s your
Defcon By Phone is an
television or your refrigerator. The purpose of this contest is to think outside of the box that the industry is
interactive voice response
thinking and create TCP/IP enabled devices that are fresh, new, cool, and literally way outside of the box.
telephone-based schedule
There are two categories of devices in this contest. of the convention. It’s
more than just a
replacement for your
The first category is TCP/IP The second category is TCP/IP enabled
paper schedule; it will
embedded devices. These are peripherals. These are devices which
remind you when talks
stand alone devices which must be connected to a host system you're interested in seeing
simply need to be plugged such as a laptop or desktop are about to happen, and
into a hub or switch. The computer which hosts the TCP/IP it will let you know if they
device must host a TCP/IP enabled service for the device. The are rescheduled or
aware service which host system must be able to cancelled. Use Defcon By
someone can control and/or communicate with the attached Phone all weekend, then
query a status from over a device in order to control it and/or come and see Strom
LAN or the internet and have it query its status over a LAN or the Carlson and
report back to the remote client internet and report back to the remote Black Ratchet's
that is controlling/querying it. client which is controlling/querying it. talk on Asterisk
on Sunday to
find out more.
Devices in each category will be judged on originality, functionality, best value for actual cost and the
coolness factor.
Call Defcon
Three awards will be available. One for Best TCP/IP embedded device, Best TCP/IP enabled peripheral, and
By Phone
the Hax0r’s Choice Award where your peers vote for what they think is the most uber elite device in the now at
entire contest.” (800) 732-0442
For More Information, visit the Contest and Info Booth in Athena or www.dc480.org

12
DEFCON FORUMS MEETING
It’s that time of year again. Since September 2001, the Defcon
Forums have been providing a medium for Defcophiles to get
together and build an online community. In fact, we get about
1,000 unique visitors per day, with nearly 10,000 users registered,
60,000 posts and 5,000 discussion threads! Why should Defcon only
be three days a year? For some of us, Defcon is a lifestyle choice.

What: The Official Defcon Forum Meeting

When: Friday, July 28, 2005 from 2000 to 2200 (or later)
Where: Athena Room (Defcon Contest Area)
Why: A chance for forum users to get together and meet!

http://forums.defcon.org

O R G A N I Z E D B Y N U L LT O N E

13
14
WELCOME TO THE
DEFCON 13 WARDRIVING CONTEST

This year’s contest consists of 8 events. Two events will run simultaneously,
one easy, one more difficult. Each team will have to choose to participate in
the easy event, or the hard event. Easy events are worth 300 pts each. Hard
Events are worth 1000. In some cases points are awarded only to the event
winner. In others, points will be awarded (on a downward sliding scale) to
first, second, and third places or partial points may be awarded.

Teams must choose which contest they will participate in at a given time (the
easy one or the harder one). Teams may not split up and participate in both.
In the event that teams submit results/participate in both games, they will
not receive points for either. Teams may consist of 1 to 4 players.

Each contestant on each team must register on the DEF CON Forums. A
limited number of registrations may be accepted on site at DEF CON 13. Each
registered contestant must also check in with the WarDriving contest staff in
the contest area at DEF CON 13. Each event will run for a maximum of three
hours. Some of the easier games will run for less (in some cases only one
hour).

One easy game and one hard game will run from 1100 - 1400 on Saturday
and Sunday and the remaining games will run from 1700 - 2000 on Friday
and Saturday.

Check-in: Once you arrive at DefCon, you will need to check in at the DefCon
13 WarDriving contest sign in area located in the DefCon Contest Area.

CONTEST DESCRIPTIONS
 WarDrive (Easy: 200-300 points) The Last Crusade (Hard: 1000 points)
This year’s WarDrive is simplicity itself. Date/Time: Sunday, 31 July 11:00-14:00
Teams have 2 hours to collect 1000 total Object: Comprimise all 5 access points
access points. The first team to submit and get 1000 points.
1000 total access points will recieve 300
points. Each team that submits 1000 King of The Hill (Hard: 1000 points)
access points after that will receive 200 Date/Time: Friday 29 July 17:00-20:00;
points. Results may be submitted to the The total time for this contest is 3 hours.
contest staff via SFTP in the Contest area. Object: Just like when you were a kid, the
Each team’s combined results must be goal of “King of the Hill” is to get on top
submitted in NetStumbler .NS1 format. and stay on top.
Converters for Kismet to NetStumbler
format will be made available through LPCon/WD Contest Crossover (Hard:
the Wardriving website. 1000 WD Contest points)
Date/Time: Saturday, 30 July 17:00-20:00;
Running Man (Easy: 300 points) Time limit: 3 hours
Object: Be the first to locate and identify Object: Using DF skills track down an
the “Running Man.” access point that is transmitting from
Date/Time: Sunday 31 July, 11:00-12:00; inside a locked container. Pick the lock on
Time limit of 1 hour the container and take physical possession
of the Access Point.
Fox and the Hound (Easy: 300 points to
first team to locate the Fox. 200 points to The Lady and The Tramp (Easy: Up to
second, 100 points to third) 300 points on a sliding scale)
Date/Time: Saturday, 30 July 11:00-14:00; Date/Time: Saturday, 30 July 17:00-20:00
Time limit of 3 hours Object: Be the first one to compromise
Object: Be the first team to locate the “Tramp” and the “Lady” and then
the “Fox.” place your flag on the “Lady.”

Tag (Hard: 1000 points to first, 750 to

second, 500 to third, 100 to all others that
successfully complete the task)
Date/Time: Saturday, 30 July 11:00-14:00
Object: The goal is to place a text file
(yourname.txt) on the Desktop of a
particular machine (C:\Program
Files\Documents and Settings\All
Users\Desktop). The first one that does
wins. The text file must be in the format
listed below and have your PGP public key
so that we may confirm the winner.

h t t p : / / w w w. s e c u r i t y t r i b e . c o m / d c 1 3 w a r d r i v e / i n d e x . h t m l
15
 QUEERCON LPCON 3
THIRD ANNUAL LOCKPICKING CONTEST

The third annual DEFCON lock picking contest (LPCON3) will

be held in the Athena room again this year. This is the
opportunity for hobbyists and professionals to strut there
stuff, and show just how good they really are. We’ve had a
lot of fun this year, and with the help of some sponsors, hope
this year is an even greater experience. To sign up for the

Queercon got it’s start last year when we

contest, simply stop by the booth in the Athena. If you signed

realized there were a lot of queer hackers at

the sexy queers Friday night starting at 2200

ever! The rainbow flag returns again this

in Parthenon 2! All ages, all welcome.

up online, don’t forget to stop by and check in with us!

Check out queercon.org for more info.

threw the most controversial Defcon party

Defcon, but no good queer parties. We

decided to do something about it, and

The contest runs from 1300-1600 Friday and Saturday

glowsticks, and a cash bar. So come join

year in a new, bigger and better

afternoon. The event format welcomes participants as well

CMOS (L.A.) spinning live, free
space. In true club style we’ll have DJ

as spectators. In fact, the pressure from performing in front

of an audience can make even the fastest pick artist weak in
the knees, so we hope to have people come by and share in
the fun.

LPCON3 would like to thank lockpicking101.com, the Irvine

Underground, and thenetworkadministrator.com for
sponsoring the event this year. We’ve acquired a new group
of locks for the contest this year which should be more
robust, and more difficult thanks to our sponsors.

16
COFFEEWARS A M AT E U R C T F
Time to renew the time-honored hobby of teeth-grinding,
hypertension and general caffeinated insanity. With Defcon comes The
KING OF THE HILL
Defcon Coffee Wars!

Anyway, now’s the time when you have an All-Inclusive Divine Excuse 1) Sign ups will be done at con
to unashamedly mingle with your own kind without having to shroud (no exceptions)
your activities under the shadow of the Evil Corporate Coffee Empire! 2) You will get one point per minute for
Yes, now we caffeine fiends can gather without shame! each service you hack on the victim
WHAT? You want a shot of espresso?! We got your shot right here, pal. 3) No hacking the scorekeeper
This event ain’t no freebie. If you want a cup, you gotta pony up. 4) No spoofing as the victim system
Coffee, that is. Whole bean. We’re judging it all. The best, the 5) No DoS/DDoS the scorekeeper nor
strongest, the most caffeinated. You name it. ...but regular store- the victim
bought or corporate coffee trash will only earn a trashing. 6) We encoruage all contestants to make
You think you got what it takes? Then we’ll take what you got! Bring
a small write up of the hacks they use,
your best beans and put ‘em up for judgment by our over-qualified, as these will be summarised and made
over-caffeinated, (and over-rated) Coffee Wars judges and contestant avaliable as a “hand book” for later
panel! We keep hearing that someone else’s beans are the best. Now distribution.
it’s time to prove it bean-to-bean! 7) no bitching (this contest is the first of
“If kids today chose coffee over methadone,
many and a work in progress so bear
the world would be a far better and more productive place.” with us Razz)
—AJ Rez

Visit the Info-Contest Booth in Athena

for more details!

17
 SPOT THE FED CONTEST
The ever popular paranoia builder. Who IS that person next to you?
Same Rules, Different year!

Basically the contest goes like this: If you see military ID angling for a shirt, so civilian DOUBLE SECRET
some shady MIB (Men in Black) earphone penny contractors are not even considered! NOTE TO FEDS:
loafer sunglass wearing Clint Eastwood to live To space things out over the course of the show
As usual this year I am
and die in LA type lurking about, point him out. we only try to spot about 8 feds a day or so.
printing up extra “I am the Fed!” shirts, and will
Just get Priest’s attention (or that of a Goon(tm) Because there are so many feds at DEF CON this
be trading them for coffee mugs, shirts or
who can radio him) and claim out loud you think year, the only feds that count are the kind that
baseball hats from your favorite TLA. If you want
you have spotted a fed. The people around at the don’t want to be identified.
to swap bring along some goodies and we can
time will then (I bet) start to discuss the trade. I’ve been doing this for a few years now,
possibility of whether or not a real fed has been NOTE TO THE FEDS: This is all in good fun, and if and I can honestly say I must have ten NSA mugs,
spotted. Once enough people have decided that you survive unmolested and undetected, but two NSA cafeteria trays, and a hat. I’d be down
a fed has been spotted, and the Identified Fed would still secretly like an “I am the fed!” shirt to for something more unusual this time. One year
(I.F.) has had a say, and informal wear around the office or when an INS agent gave me a quick reference card
vote takes place, and if enough booting in doors, please contact (with flow chart) for when it is legal to perform a
people think it’s a true fed, or fed me when no one is looking and I body cavity search. Now that is cool. Be stealth
wanna-be, or other nefarious style will take your order(s). Just about it if you don’t want people to spot you.
character, you win a “I spotted the think of all the looks of awe Agents from foreign governments are welcome
fed!” shirt, and the I.F. gets an “I you’ll generate at work to trade too. If I can’t be found then Major
am the fed!” shirt. To qualify as a wearing this shirt while you Malfunction is my appointed Proxy.
fed you should have some Law file away all the paperwork
Enforcement powers (Badge / you’ll have to produce over
Gun) or be in the DoD in some this convention. I won’t turn
role other than off duty soldier or in any feds who contact me,
Marine. What we are getting as is they have to be spotted by
there are too many people with others.

18
WI-FI SHOOTOUT
At last year’s contest, amateur engineering took a new turn
as three teenage ham radio operators from Ohio established
a new world’s record (certified by the Guinness Book of World
Records) for an unamplified wifi connection. Using two The Unofficial Defcon 13 Toxic BBQ
consumer-grade 32-milliwatt Orinoco Gold USB wifi adapters will be held for its second year on
mounted on the feed points of two surplus 9-1/2 foot satellite Thursday, July 28th 18:00:00 until the
dishes, the team known as P.A.D. achieved a verified connect event dies out. The event is held in
distance of 55.1 miles (88.67 kilometers), without the use of the center of Sunset Park, between
external amplification. This year’s contest is sure to once the parking lot and the pirate flag.
again shatter all preconceived notions as to how far a wifi Last year some 70 or so hackers met
signal can travel! As usual, this year’s teams will be drawn to grill and drink before the
from the pool of approximately 5000 Defcon attendees to see conference took off, this year
whose wifi reigns supreme! Spectacular prizes and fun are we’re doing the same.
available to all who participate.
Maps, information,
To enter, read all of the details at and pictures available at
www.wifi-shootout.com, and then meet in the Athena www.toxicbbq.com
contest room at noon on Friday or Saturday, July 29 and 30.
Sponsored by

TOXIC BBQ
19
 THE NIGHT BEFORE DEFCON
AS READ BY THORN TO HIGHWIZ AND STITCH
(With sincere apologies to the memory of Clement Clarke Moore)

'Twas the Night Before DefCon, in Steven Job's house, "Tough shit" said the louse, "We'll get what we need"
A Support line rang and was answered by a louse. You signed our TOS, which you didn't read
"My new G4 is broke" ol' Roamer had said, We'll get all your p0rn, and your smart-assed replies,
"What will you do? The fucking thing's dead." As well as the IPs of those DC guys."

"Just send it all back" the louse he replied. So the louse and his friends took Roamer's code,
"We'll fix it up quick, no matter how fried." When Chris saw the logs, he thought his head would explode.
"There's just one little thing, that you really should know, But he crafted a plan, and created a site,
need all your passwords to make it all go." By which his cohorts would know of his plight.

"Are you fucking nuts?" Chris quickly returned, This sad story is true, and the moral is plain,
"IF I give out my passwords, I'll surely be burned." If you piss Roamer off, you'll just end up in the Fucktard Hall of Fame .
"You'll see all my p0rn, and my witty retorts,
"To all the DC guys, of whom I make sport." Thorn

"Like Alx, or HighWiz, or Medic or Noid"

and forty other people I have to avoid.
You'll grab all my JPEGs of titties and buns
And see all my code which makes it all run."

20
 BOOKSIGNINGS
You Are Who the Computer
Says You Are

The first two books in this series,

Stealing the Network: How to Own the
Box and Stealing the Network: How to Richard Thieme Kevin Mitnick Johnny Long
Fri, 1100 Fri, 1200 Sat, 2000
Own a Continent, have become classics
in the Hacker and Infosec communities
because of their chillingly realistic
depictions of criminal hacking
techniques and strategies. But what happens when the tables turn,
and the criminal hackers become the targets of both law enforcement
Authors Andrew Lockhart Authors
and each other? What happens when they must evade detection by Fri, 1900 Sat, 1200 Sat, 1500

creating new identities and applying their skills to get out fast and
vanish into thin air. In Stealing the Network: How to Own an Identity,
Books are available
the hacker crew you’ve grown to both love and hate find themselves for purchase from
BreakPoint Books.
on the run, fleeing from both authority and adversary. They must now
use their prowess in a way they never expected—to survive...
Jay Beale Authors
Sun, 1300 Sun, 1400
BOOK SIGNING WITH THE CONTRIBUTORS ON FRIDAY @ 15:00

B O O K S I G N I N G S O R G A N I Z E D B Y R O A M E R

21
ROBOT WAREZ CONTEST
THE GOAL:
Each bot starts at one end of a rectangle, three walls are in the driving section which the bot must
navigate to get to the other end. At the end are 25 ping pong balls randomly spread on the floor.
Picking up a ball gets a point.
The balls may be used to
shoot down several cans
placed on the top of the
wall at the starting end of
the arena, knocking
those cans down
are worth more
points. The best
score at the end

of the timed match wins.

MORE INFO:
The remainder of the rules and details can be found here:
http://www.robotwarez.org/rules.html

Interested contestants should meet in the Contest Area

(Athena) between 1045 - 1100, Friday morning for initial
meet/greet and Q&A.
h t t p : / / w w w. r o b o t w a r e z . o r g
SPEAKERS
A New Hybrid Approach for Infrastructure Discovery, of active scanning will monitor the network for a response to be, or not, received
Monitoring and Control from probed targeted network elements, and according to the type of response, and
Ofir Arkin, CTO and Co-Founder, Insightix the conclusions following (part of an implementation’s intelligence), knowledge will
The first part of the talk presents the current available network discovery technologies, be gathered about the underlying operating system.
active network discovery and passive network discovery, and explains their strengths This talk examines the current state of remote active OS fingerprinting technology
and weaknesses. The talk highlights technological barriers, which cannot be overcome, and tools: the different methods used today, the issues associated with them, the
with open source and commercial applications using these technologies. limitations, where the current technology is, what can and cannot be accomplished,
The second part of the talk presents a new hybrid approach for infrastructure and what should be done in the future.
discovery, monitoring and control. This agent-less approach provides with real-time, The talk also highlights the accuracy aspects of several active operating system
complete, granular and accurate information about an enterprise infrastructure. The fingerprinting tools, analyzes them and compare between them.
underlying technology of the solution enables maintaining the information in real- During the talk a new version of Xprobe2, a remote active OS fingerprinting tool
time, and ensures the availability of accurate, complete and granular network context will be released.
for other network and security applications. Introducing the Bastille Hardening Assessment Tool
During the talk new technological advancements in the fields of infrastructure Jay Beale, Lead Architect, Bastille Linux
discovery, monitoring and auditing will be presented.
Bastille has been re-released as an assessment and hardening tool. With the help of
Ofir Arkin is the CTO and Co-founder of Insightix, which pioneers the next generation of
the US Government’s TSWG, we’ve added full hardening assessment capabilities,
IT infrastructure discovery, monitoring and auditing systems for enterprise networks. Ofir
complete with scoring. This allows Bastille to measure and score an individual
holds 10 years of experience in data security research and management. Prior to co-
system’s security settings against user-provided guidelines, possibly before allowing a
founding Insightix, Ofir served as a CISO of a leading Israeli international telephone
system onto the network. Security or system administrators can use this to assess the
carrier. In addition, Ofir has consulted and worked for multinational companies in the
relative state of a given system compared to Best Practices, to other systems in the
financial, pharmaceutical and telecommunication sectors.
Ofir is an active member with the Honeynet project and is co-author of the team’s
organization, or to an organization-supplied minimum standards file. They can also
book, “Know Your Enemy” published by Addison-Wesley. Ofir is also the founder of
use it to learn what hardening steps would be helpful for the given system. Bastille’s
Sys-Security Group (http://www.sys-security.com), a computer security research group. new mode can even help in verifying compliance with new legislation, including
Sarbanes Oxley, GLBA and HIPAA. It can also help in lowering insurance premiums—
On the Current State of Remote Active OS Fingerprinting AIG, the largest provider of cybersecurity insurance, decreases premiums by 15% for
Ofir Arkin, CTO and Co-Founder, Insightix organizations following best practices in proactive defense.
Active operating system fingerprinting is a technology, which uses stimulus (sends Open source tools have hardened systems in the past (Bastille, Titan, YASSP), while
packets) in order to provoke a reaction from network elements. The implementations free or open source tools have measured security settings in the past (COPS, CIS Unix
23
 Scoring Tool). No popular open source tool besides Bastille can do both, using the deployed and run on the target, whether an exploit methodology, or a tool. The proof
weaknesses found in an audit to harden systems. This functionality would normally of concept deployable binary weights in at 120K. The framework makes use of Lua as
be found only in a separate tool and thus warrants the re-release of Bastille. the scripting language, and is freely available with a BSD license.
We originally released Bastille Linux/Unix in 1999 as a host hardening tool, built to Wes Brown is a senior security consultant, security researcher, having started working in
tighten security settings on a system, set stronger policies on that system and the field almost a decade ago. He specializes in penetration testing, and tools writing, but
educate system administrators. Bastille has been extremely popular and has since is greatly interested in conducting security research as well. He has written numerous in-
been ported to seven Linux distributions, OS X and HP-UX. Support for FreeBSD and house tools for Internet Security System’s X-Force Consulting team, of whom he is a
Solaris is underway. Bastille ships by default with Gentoo, Debian(apt-get) and HP- member of.
UX, the latter of which has made it part of the installer and contributes two
Scott Dunlop is a father, software developer, security researcher and short order cook, in
developers to the project. that order; other public projects by Scott include Cloud Wiki, IPAF Packet Analysis
Jay Beale is a information security specialist, well known for his work on mitigation Framework, and the Sickle Communication Language.
technology, specifically in the form of operating system and application hardening. He’s
written two of the most popular tools in this space: Bastille Linux, a lockdown tool that Development of An Undergraduate Security Program
introduced a vital security-training component, and the Center for Internet Security’s Unix Daniel Burroughs, University of Central Florida
Scoring Tool. Through Bastille and his work with the Center, Jay has provided leadership At the University of Central Florida, an undergraduate program in security is currently
in the Linux system hardening space, participating in efforts to set, audit, and implement being developed. This program will offer students a bachelor’s degree through the
standards for Linux/Unix security within industry and government. He also focuses his College of Engineering. It is intended to be an interdisciplinary degree combining
energies on the OVAL project, where he works with government and industry to
coursework from the School of Engineering and Computer Science, College of Health
standardize and improve the field of vulnerability assessment. Jay is also a member of the
and Public Affairs, and the National Center for Forensic Studies.
Honeynet Project, working on tool development.
The purpose of this talk is to present the program being developed and to receive
Jay makes his living as a security consultant with the firm Intelguardians, which he co-
feedback regarding what material and what areas such a program should cover. The
founded with industry leaders Ed Skoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson,
department that it is being offered through (Engineering Technology) is an applied
where his work in penetration testing allows him to focus on attack as well as defense.
engineering department, taking a very hands-on approach to learning. As such it is
Mosquito - Secure Remote Code Execution Framework necessary to develop our courses of study based on feedback from industry and the
Wes Brown, Senior Security Consultant community.
Scott Dunlop, Security Researcher Daniel Burroughs is currently an Assistant Professor in the College of Engineering at the
Mosquito is a lightweight framework to deploy and run code remotely and securely in University of Central Florida. His current research involves the development of the Florida
the context of penetration tests. It makes a best effort to ensure that the Department of Law Enforcement Data Sharing Consortium and the development of a
communications are secure. Special care is taken to ensure that deployed code is not undergraduate security engineering program at UCF. His past work at the Institute for
Security Technology Studies at Dartmouth College focused on using target tracking
stored outside of process memory space, making it difficult for an eavesdropper to
techniques to correlate data from multiple IDS and other sensors spread over large
obtain the code. It protects the confidentiality and trade secrets of code that is
scale networks.
24
Auto-adapting Stealth Communication Channels existed but which you will find yourself inexplicably compelled to set up and play
Daniel Burroughs, University of Central Florida with. Covered topics will include hardware, trunking, PSTN termination, integration
Intrusion detection systems and firewalls generally follow one of two methods of with the Web and customization.
attack detection, signature or anomaly. Signature detection detects known attacks A Q&A session will follow the talk, accompanied by giveaways of selections from
and anomaly detection covers unusual activity (with the hope that it will discover Strom’s massive pile of vintage telephone equipment. If you can’t make it to the talk
new attacks). Often what is detected by the IDS or firewall is not the original attack, itself, you will still be able to participate; a call-in Q&A queue will be provided for
but rather the communication that occurs afterwards. Known methods are easily those watching the talk on TV in the hotel.
picked up by signature detection, new methods are either picked up by anomaly Strom Carlson is the organizer of DC213 and has been playing with telephones for years
detection or have a limited lifespan (signatures are created to detect them). That now; he has an intense interest in the structure and history of the telephone network and
leads us to the dilemma of trying to create a covert communication scheme with no will start yammering away for hours about it if you’re not careful. He collects all things
(easily) detectable pattern and one that does not cause statistical anomalies. related to telephony (including recordings), and although he is rapidly running out of
The key to solving this dilemma is to use a scheme that is not consistent in its space in which to store his many cubic meters of telephone equipment, he will eagerly
appearance and adapts itself to match its current surroundings. The traffic on one and compulsively snap up anything made or published by Western Electric if given the

network will very from that on another network. This means that what will look chance. He encourages all phone phreaks and interested parties to play extensively with
the phone network and learn everything they can; he also encourages you to listen to
unusual or out of place on one network might not look so strange on another. By
everything on www.phonetrips.com and to poke around www.stromcarlson.com
analyzing the conditions that exist on a network and then adapting the
communication scheme to fit in with those conditions, a well camouflaged Black Ratchet is just another phone phreak from Boston. He enjoys computers, radios,
communication channel can be created. and, of course, anything remotely related to the Public Switched Telephone network. He
This talk covers the concepts for such a communication system. It will cover the has been playing with telephones since he was eleven, and after a somewhat lengthy
development and research being performed currently as well as providing a sabbatical in college, had a relapse and returned to his old ways in late 2003. He is the
moderately technical discussion of the background concepts for such a system. organizer and webmaster of Yet Another Payphone List at www.yapl.org and is an active
member of the Digital Dawg Pound at www.binrev.com. He can be found at
Be Your Own Telephone Company...With Asterisk www.blackratchet.org, and on forums.binrev.com.
Strom Carlson & Black Ratchet
Analysis of Identity Creation Detection Schemes post-9/11
Since the invention of the step-by-step switching office by Almon B. Strowger in Cerebus
1889, telephone switching technology has constantly become more efficient, more
Have you wondered exactly how personal information is being used to help in the
complex and easier to manage. Today, anyone with a computer, a telephone and
detection of Identity Creation in the post-9/11 world? Exactly how safe are social
some spare time can assemble a homebrew telephone switching system and become
security numbers as a means to identity? How easy is it to create a valid SSN that will
their own miniature telephone company with the aid of a program called Asterisk.
pass inspection by the Identity detection systems in place for business and
This presentation will give a brief overview of Asterisk, how to set it up, what it can
government today? Or how you can recreate someone’s SSN only knowing their date
do, and how to integrate it with your existing network. Furthermore, you will be
of birth and the last four digits of their SSN? This presentation will explain how
introduced to a whole world of features and capabilities you didn’t even know
current identity creation detection schemes work. You will leave understanding what
25
 these schemes look for to flag someone as needing more investigation to establish University, Scotland. He has also worked as a consultant for a number of companies
that they are who they say they are. You will also learn about the history of the social including 3Com, and Logica UK’s Space Division.
security number, what the number means, and how it is used to establish identity. Oskar Sandberg is a post graduate student at the Chalmers Technical University in
Cerebus has worked for 10 years for one of the world’s largest Marketing Database Gothenburg, Sweden. He is working on a PhD about the mathematics of complex
companies. He has designed Identity detection schemes for some of the top credit networks, especially with regard to the small world phenomenon. Besides this he has an
agencies in the US. active interest in distributed computer networks and network security, and has been an
active contributor to The Freenet Project since 1999.
Routing in the Dark: Scalable Searches in Dark P2P
Networks Countering Denial of Information Attacks
Ian Clarke, Project Coordinator, FreenetProject Inc. Greg Conti, United States Military Academy, West Point,
Oskar Sandberg, Department of Mathematical Sciences, New York
Chalmers Technical University, Sweden We are besieged with information every day, our inboxes overflow with spam and our
With peer to peer networks under fire by organizations using the legal system to search queries return a great deal of irrelevant information. In most cases there is no
attack participants, it seems that the only sustainable future is for dark, encrypted, malicious intent, just simply too much information. However, if we consider active
networks where participants only talk to peers that they know and trust. Such malicious entities, the picture darkens. Denial of information (DoI) attacks assail the
networks, like WASTE, already exist to some extent, but they scale poorly and do not human through their computer system and manifest themselves as attacks that
allow global communication. target the human’s perceptual, cognitive and motor capabilities. By exploiting these
This does not need to be the case, however. The “small world” observations, going capabilities, attackers reduce the ability of humans to acquire and act upon desired
back to Milgram’s famous experiments in the sixties, show that social networks have information. Even if a traditional denial of service attack against a machine is not
all the right characteristics for being easy and efficient to navigate and search. It possible, the human utilizing the machine may still succumb to a DoI attack. Typically
stands to reason that, under the right circumstances, so should a Darknet. We present much more subtle (and potentially much more dangerous), DoI attacks can actively
algorithms for making routing possible in such networks, based on the real alter the decision making of humans, potentially without their knowledge. This talk
mathematics of how small worlds function. The goal is to build peer to peer networks explores denial of information attacks and countermeasures and uses network
that are difficult for outsiders to detect and infiltrate, making the job of those who visualization scenarios to illustrate the problem.
wish to shut them down much harder. Greg Conti is an Assistant Professor of Computer Science at the United States Military
Ian Clarke is the architect and coordinator of The Freenet Project, and the CEO of Academy. He holds a Masters Degree in Computer Science from Johns Hopkins University
Cematics Ltd, a company he founded to realise commercial applications for the Freenet and a Bachelor of Science in Computer Science from the United States Military Academy.
technology. Ian is the co-founder and formerly the CTO of Uprizer Inc., which was His areas of expertise include network security, information visualization and information
successful in raising $4 million in A-round venture capital from investors including Intel warfare. Greg has worked at a variety of military intelligence assignments specializing in
Capital. In October 2003, Ian was selected as one of the top 100 innovators under the Signals Intelligence. Currently he is on a Department of Defense Fellowship and is
age of 35 by the Massachusetts Institute of Technology’s Technology Review magazine . working on his PhD in Computer Science at Georgia Tech. His work can be found at
Ian holds a degree in Artificial Intelligence and Computer Science from Edinburgh www.cc.gatech.edu/~conti and www.rumint.org.

26
Sketchtools: Prototyping Physical Interfaces The Information Security Industry: $3 Billion of Snake Oil
Matt Cottam, Creative Director, Tellart; Faculty, Industrial David Cowan, General Partner, Bessemer Ventures
Design, Rhode Island School of Design A raging fear of The Computer Evildoers has driven enterprises to the safety of the
Industrial designers working in traditional media have the luxury of sketching, herd, buying whatever elixirs the big vendors peddle. Security consumers waste
playing, and experimenting with their materials before constructing a finished billions of dollars on ineffective (but well integrated!) solutions. However, as
product. Designers working with electronics and computers are relatively technology users grow more sophisticated about security threats (often learning the
impoverished. To “sketch” with electronics or computers would typically require hard way), opportunities will surface for innovative startups to deliver effective IT
extensive training in engineering and ready access to inexpensive parts— survival mechanisms. This talk will review the industry’s blunders, and sources of
requirements that most designers can’t easily meet. This deficiency—this inability to opportunity.
work closely with materials before building with them—hampers designers’ efforts David joined Bessemer Venture Partners in 1992. David has since made 43 early-stage
to make products sensitive to human use. This paper describes an attempt to address investments for Bessemer, including 19 that have gone public, and 16 that have been
this problem in a human-computer interaction (HCI) design studio at a major design acquired by public companies. David initially focused on communications technology
school. The course itself was an exercise in design: it worked within severe constraints companies like Ciena, P-Com, and PSI-Net, and then internet services such as Keynote,
to address a human need. We describe our attempt to shape the course to meet Flycast, Hotjobs and Blue Nile. In 1995 he cofounded Verisign as a Bessemer-funded
students’ most pressing needs; our students’ attempts to work within the constraints spinout of RSA, serving as VeriSign’s initial Chairman and CFO. His other data security
of the course; and the outcomes of the course for students and faculty. The paper investments have included Counterpane, Cyota, Determina, eEye, Elemental Security,
suggests that the course offers one way to experiment with HCI concepts, produce Finjan, ON Technology (acquired by Symantec), Postini, Qualys, Tripwire, Tumbleweed,
innovative solutions to design problems, and—crucially—humanize new Valicert and Worldtalk (both of which Tumbleweed acquired). David also teaches
technologies and the design process.” computer science at the Keys Middle School in Palo Alto. He received both his B.A. in
math and computer science and his M.B.A. degrees from Harvard University.
Matt Cottam has a Bachelor of Fine Arts and Bachelor of Industrial Design degrees from
Rhode Island School of Design (RISD). Matt’s thesis work at RISD was to conduct human- CISO Q&A with Dark Tangent
factors research for the Habitability Design Division of NASA. Since 1998 Matt has been
Scott Blake, Liberty Mutual
the core instructor of the Structured Multimedia Module of the International Certificate
Pamela Fusco, Merck
Program in New Media at the Fraunhofer Center for Research in Computer Graphics.
Ken Pfiel, Capital IQ
Since 1999 he has been a member of the faculty at RISD; he teaches critical human-
Justin Somaini, Verisign
centered design and human-computer interaction design for the departments of
Andre Gold, Continental Airlines
Industrial Design, Graphic Design, Photography, and The Digital Media Graduate
David Mortman, Seibel Systems
Program. Matt cofounded Tellart and specializes in human-computer interface design
technology, methodology, and pedagogy. The Dark Tangent, founder of DEFCON, invites Chief Information Security Officers
from global corporations to join him on stage for a unique set of questions and
answers. What do CISOs think of David Litchfield, Dan Kaminsky, Joe Grand,
Metasploit, Black Hat, and DEFCON? How many years before deperimeterization is a
27
 reality? Is security research more helpful or harmful to the economy? What privacy were released to customers. A CISSP, member of USENIX/SAGE and ISSA, and speaker at
practices do CISOs personally use? These questions and others from the audience will RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist at
be fielded by this panel of security visionaries. InfoSecurity 2003 and Black Hat 2004.

Scott Blake is CISO for Liberty Mutual Insurance Group and is responsible for information Whiz Kids or Juvenile Delinquents: A Sociological
security strategy and policy. Prior to joining Liberty, Scott was VP of Information Security Perspective The Construction of Hacker Identity
for BindView Corporation where he founded the RAZOR security research team and Amanda Dean
directed security technology, market, and public affairs strategy. Scott has delivered many
lectures on all aspects of information security and is frequently sought by the press for The paper I will be presenting serves as a rudimentary literature review on how
expert commentary. hackers may be constructed as either deviants or non-deviants in society. This
presentation begins by placing hackers within the framework of sociological
Pamela Fusco is an Executive Global Information Security Professional, for Merck & CO.,
literature on deviance. I talk about how deviance has historically been a social
Inc. She has accumulated over 19 years of substantial experience within the Security
construction, with the more powerful members of society defining what it is to be
Industry. Her extensive background and expertise expand globally encompassing all facets
deviant, and those with less power are frequently applied the label. I apply
of security inclusive of logical, physical, personal, facilities, systems, networks, wireless,
and forensic investigations. Presently she leads a talented team of Compliance, Systems
sociological definitions of deviants to hackers, and am able to refute these claims in
and Information Security Engineers operating a world-wide 24X7X365 SIRT (security many cases.
incident response team). I am a doctoral student in the sociology department at the University of Nevada, Las

Ken Pfeil is CSO at Capital IQ, a web-based information service company headquartered Vegas. The vast majority of my friends are “techies,” and as a social scientist, I’m a bit of

in New York City. His experience spans over two decades with companies such as an outcast. I mitigate some of that by focusing my research attention on the effects of

Microsoft, Dell, Avaya, Identix, and Merrill Lynch. Ken is coauthor of the books “Hack technology on and within society. While getting my master’s degree in Criminal Justice at

Proofing Your Network - 2nd Edition” and “Stealing the Network: How to Own the Box,” Grand Valley State University, I began to look at some of the laws protecting information

and a contributing author of “Security Planning and Disaster Recovery” and “Network and technology, and their social consequences. For my dissertation, I’d like to turn my

Security–The Complete Reference.” attention specifically on hackers, hactivism, and global social movements. In my spare
time I’m a big time gaming geek which I balance with my addiction to drag racing and
Justin Somaini is Director of Information Security at VeriSign Inc. where he is responsible
canyon carving on my sport bike.
for managing all aspects of network and information security for VeriSign. With over 10
years of Information Security and Corporate Audit experience, Justin has leveraged his Introduction to Lockpicking and Physical Security
knowledge of audit and large organizations to remediate global infrastructure problems Deviant Ollam
and create a full risk identification and remediation Information Security group.
Physical security isn’t just a concern of the IT world. Besides securing server rooms,
David Mortman, CISO for Siebel Systems, Inc., and his team are responsible for Siebel locks of all sizes and styles are scattered throughout our lives. However, much of the
Systems’ worldwide IT security infrastructure, both internal and external. He also works general public is unaware of the insecurities present in many lock designs. Through
closely with Siebel’s product groups and the company’s physical security team. Previously, discussion and direct example, Deviant Ollam will address the strengths and
Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to
weaknesses of standard pin tumbler locks, combination locks, warded locks, wafer
managing data security, he deployed and tested all of NAI’s security products before they
locks, and more. Discussion of effective tools, advanced techniques, master key
28
theory, and lesser-known picking techniques will also be covered. This talk is aimed at particular forms of knowledge and power are privileged in the production of maps,
lockpick novices who are interested in better security and learning lockpicking skills. and how those maps themselves produce particular geographic imaginations. As new
While always the first to admit that he’s no Barry Wels, Deviant hopes to have a good virtual spaces are opened up through communication technologies such as the
time with this lockpick talk and looks forward to hand-on audience participation. Internet, maps remain one of the important ways that these spaces are articulated to
Many styles of practice locks and picks will be made available. the public. However, when creating these new maps of cyberspace, it is necessary to
While paying the bills as a network engineer, Deviant Ollam’s first and strongest love has remain aware of the political meaning contained in these representations. Maps of
always been teaching. Employed periodically at schools in the greater Philadelphia area, the internet that depict it as a disembodied, decentralized and unregulated space
he is presently a student at the New Jersey Institute of Technology in the hopes of tacking may in fact promote particular interests such as capitalism and national security,
some actual letters to his name and doing the professor gig full time. A fanatical while suppressing others. The aim of this presentation is to open up a dialogue
supporter of First Amendment rights who believes that the best way to increase security where we can collectively critique existing maps of cyberspace and imagine
is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at other alternatives that may be more sensitive to a competing range of interests, including
con events and various schools. those of the hacker community.
Kristofer Erickson is currently completing his PhD in Geography at the University of
The Hacker’s Guide to Search and Arrest
Washington in Seattle, where he teaches an undergraduate seminar on Law and
Steve Dunker, Esq
Cyberspace. He is motivated by a desire to bridge the gap between academic scholarship
Have you ever been pulled over by the Cops? Do you worry about your home being and politics, which is one of the reasons he is thrilled to be able to present at Defcon.
searched by the Feds? The Hacker’s Guide to Search and Arrest is presented in a down Recent notable accomplishments include attending the September Project, a nationwide
and dirty fast pace. You won’t hear a single boring case citation here. Instead you get effort to promote community discussion of democracy and freedom in local public
information you can use in every day life, presented in a way that won’t make your libraries, legitimately playing a round of Final Fight on the jumbotron screen during an
eyes gaze over. Learn when the Government can legally perform searches or make undergraduate college class, and standing up for the blogosphere in a roomful of old-
arrests. Find out what you can do if you are a victim of an illegal search or seizure. guard Marxist academics in Denver Colorado.

Steve Dunker is a Professor of Criminal Justice at Northeastern State University. He is a Hacking Nmap
former Major Case Squad Detective who worked as a planner and supervisor of an anti-
Fyodor
crime and decoy unit. He is a licensed attorney in the State of Missouri.
While many security practitioners use Nmap, few understand its full power. Nmap
The Power to Map: How Cyberspace Is Imagined Through deserves part of the blame for being too helpful. A simple command such as “nmap
Cartography scanme.insecure.org” leaves Nmap to choose the scan type, timing details, target
Kristofer Erickson, The University of Washington Department ports, output format, source ports and addresses, and more. You can even specify -iR
of Geography (random input) and let Nmap choose the targets! Hiding all of these details makes
An ongoing project for scholars in Geography has been to explore how power and Nmap easy to use, but also easy to grow complacent with. Many people never
cartography are mutually implicated. Geographers have traditionally been concerned explore the literally hundreds of available options and scan techniques for more
with making maps of the earth, but until recently we have seldom reflected on how powerful scanning.

29
 In this presentation, Nmap author Fyodor details advanced Nmap usage—from Hacking in a Foreign Language: A Network Security Guide
clever hacks for teaching Nmap new tricks, to new and undocumented features for to Russia (and Beyond)
bypassing firewalls, optimizing scan performance, defeating intrusion detection Kenneth Geers
systems, and more. A brief introduction to Russia will be followed by 1,000 traceroutes over the frozen
Fyodor authored the popular Nmap Security Scanner, which was named security tool of tundra described in detail, along with an explanation of the relationship between
the year by Linux Journal, Info World, and the Codetalker Digest. It was also featured in cyber and terrestrial geography. Information will be provided on Russian hacker
the hit movie “Matrix Reloaded” as well as by the BBC, CNet, Wired, Slashdot, groups and law enforcement personnel, as well as a personal interview with the top
Securityfocus, and others. He also maintains the Insecure.Org and Seclists.Org security Russian cyber cop, conducted in Russian and translated for this briefing.
resource sites and has authored seminal papers detailing techniques for stealth port You will receive a short primer on the Russian language, to include network
scanning, remote operating system detection via TCP/IP stack fingerprinting, version security terminology, software translation tools, and cross-cultural social engineering
detection, and the IPID Idle Scan. He is a member of the Honeynet project and a co- faux-pas (this method will apply to cracking other foreign languages as well).
author of the books “Know Your Enemy: Honeynets” and “Stealing the Network: How to
Hacking in a Foreign Language details a four-step plan for crossing international
Own a Continent”.
frontiers in cyberspace. First, you must learn something about the Tribe: in this case,
A Safecracking Double Feature: Dial ‘B’ For BackDialing the chess players and the cosmonauts. Second, you must study their cyber Terrain. We
and Spike the Wonder Safe will examine the open source information and then try to create our own network
Leonard Gallion map using traceroutes. Third, we will look at the Techniques that the adversary
employs. And fourth, we will conquer Translation. The goal is to level the playing field
This presentation will introduce two powerful, non-destructive safe opening
for those who do not speak a foreign language. This briefing paves the way for
techniques. The first “Dial B For BackDialing,” will trace the history of backdialing all
amateur and professional hackers to move beyond their lonely linguistic and cultural
the way from Richard Feynman working on the atomic bomb (and opening safes) in
orbit in order to do battle on far-away Internet terrain.
the 1940’s, to today. This presentation will show how mechanical safes have changed
since Feynman’s time, but how most are still vulnerable to both his method and the Kenneth Geers (M.A., University of Washington, 1997) is an accomplished computer
security expert and Russian linguist. His career includes many years working as a
simpler Nascar(tm) technique. The next part of the presentation, “Spike the Wonder
translator, programmer, website developer and analyst. The oddest job he has had was
Safe” will demonstrate how to defeat the two locking mechanisms of a popular office
working on the John F. Kennedy Assassination Review Board (don’t ask). He also waited
safe using just an ink pen and a battery, all in under two minutes.
tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro,
Leonard Gallion, is the Vice President of Information Services for a Dallas Texas company was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the
and has over 20 years of experience in the I.T. and Security fields. Primarily focusing on Rochefort monastery. He loves to read computer logfiles while playing chess and listening
the non-destructive (stealthy) compromise of physical security, he has publicly presented to the St. Louis Cardinals. He loves Russia, his wife Jeanne, and daughters Isabelle,
on such topics as lockpicking, safecracking and high security lock bypass. In addition, he Sophie, and Juliet. Kenneth drinks beer and feeds the empty cans to camels.
published an article in the Summer 2004 issue of 2600 magazine on his hobby, creating
“Impromptu Lock Picks” from common office supplies.

30
Many Thanks to Mike Koss for allowing us to reproduce his paper Enigma.
Visit his website at:
http://mckoss.com/crypto/enigma.htm
Bacon: A Framework for Auditing and Penetration Testing about Medeco side bars and how they’ve been beaten. You will learn about mul-t-lock
Hernan Gips pin-in-pin cylinders and how they’ve been beaten. You will learn the basics of safe
Nowadays there is a lack of adequate frameworks to make the security consulters manipulation. This is not a “Talk” that will teach you how to pick, the “pick-proof”
and pen testers life easy. A lot of separated or integrated tools like automating locks. It will give you the foundation and methods that will allow you to understand
penenetration Testing tools improve their performance but aren’t very useful for the these locks, and the concepts behind picking them. Punch and Pie will be served.
real world consultant. Also some languages, which are not too powerful and complex Michael D. Glasser is a Security Consultant in the New York Tri-State Area. He is currently
like python makes others tools hard to expand to the public in general. In reality, the employed by one of the worlds largest security consulting firms. Though he consults
need for flexible, modular and extensible but also powerful kind of tool is growing in primarily on physical security, other forms of security are often part of his scope of work.
today’s computing security scene due to substantial increases in the security, pen Glasser has been in the security industry for more then 10 years. He started as a technician
testing and code audit market. The goal of this paper is to motivate a renewed in the field installing electronic security, and broadened his technical knowledge to cover
interest and present a solution based on nowadays technologies capable to handle all electronic and conventional security methods. Glasser is Licensed by New York State
the real world challenges and to be useful. and a Burglar and Fire Alarm Installer, Certified as a Locksmith, and has numerous
Bacon is an introduction to a generic framework for penetration testers and electronic security certifications. He is an active member of many local, state and national
consultants as well as an Open Source modular framework. Bacon’s core component associations. He teaches classes on electronic security in the New York Area.
is developed in C# and is able to load modules compiled to run in ECMA Common While paying the bills as a network engineer, Deviant Ollam’s first and strongest love has
Language Infrastructure, for example C#, C++.NET, VB.NET, IronPython and others. So always been teaching. Employed periodically at schools in the greater Philadelphia area,
the core component, GUI and the modules are multi platform. These modules would he is presently a student at the New Jersey Institute of Technology in the hopes of tacking
run on Windows using the Microsoft CLI or Linux using Mono or another CLI some actual letters to his name and doing the professor gig full time. A fanatical
implementation. Bacon’s core also provides a set of facilities to generate custom supporter of First Amendment rights who believes that the best way to increase security
reports, utility libraries and module communication. The actual development of Bacon is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at other
is focused in the core component and three modules, one of them for code auditing, con events and various schools.
other for web application auditing and the last one for database auditing.
Inequality and Risk
Hernan Gips worked as security consultant for 6 years in a top security consulting
Paul Graham, Y Combinator
company in Buenos Aires, Argentina. Doing both Pentesting and Code Auditing for local
and international companies. He worked as developer and architect in many different Previous attempts to hack the connection between wealth and power have aimed
technologies including C, C++, Java and .NET. mainly at eliminating economic inequality. They’ve all ended in disaster, because
economic inequality is closely related to risk: you can’t eliminate inequality without
Intro to High Security Locks and Safes eliminating startups, and with them growth. So if you want to get rid of injustice, the
Michael Glasser place to attack is one step downstream, where wealth turns into power.
Deviant Ollam Paul Graham is the author of On Lisp, Ansi Common Lisp, and Hackers & Painters; was
This “Talk” will focus on the next step beyond basic locks and lock picking. You will NOT co-founder of Viaweb (now Yahoo Store); developed a simple Bayesian spam filter that
learn about basic cylinders. You will not learn how to shim a padlock. You will learn inspired many present filters; and is one of the partners in Y Combinator.

35
 Top Ten Legal Issues in Computer Security focus on the detection of and recovery from the installation of both traditional and
Jennifer Granick, Executive Director, Center for Internet and kernel-level rootkits. Included in the presentation is a demonstration of an operating
Society, Stanford Law School system architecture and intrusion recovery system (IRS) that is capable of recovering
This will be a practical and theoretical tutorial on legal issues related to computer from some of the most prevalent rootkits seen in the wild. Prototype recovery tools
security practices. In advance of the talk, Granick will unscientifically determine the will be released.
“Top Ten Legal Questions About Computer Security” that Defcon attendees have and Julian Grizzard is a Ph.D. candidate in the School of Electrical and Computer Engineering
will answer them as clearly as the unsettled nature of the law allows. While the at the Georgia Institute of Technology. He received his B.S. in Computer Engineering from
content of the talk is audience driven, Granick expects to cover legal issues related to Clemson University and his M.S. in Electrical and Computer Engineering from the Georgia
vulnerability disclosure, copyright infringement, reverse engineering, free speech, Institute of Technology. He has been studying rootkits for several years, written numerous
surveillance and civil liberties. related papers, and given many academic and research presentations. He is a member of
the Honeynet Research Alliance and his research interests include kernel hacking,
Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and
networking, and security.
Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and
writes on the full spectrum of Internet law issues including computer crime and security, Lost in Translation
national security, constitutional rights, and electronic surveillance, areas in which her Christian Grothoff
expertise is recognized nationally.
This presentation describes the possibilities of steganographically embedding
Granick came to Stanford after almost a decade practicing criminal defense law in
California. Her experience includes stints at the Office of the State Public Defender and at
information in the “noise” created by automatic translation of natural language
a number of criminal defense boutiques, before founding the Law Offices of Jennifer S. documents. An automated natural language translation system is ideal for
Granick, where she focused on hacker defense and other computer law representations steganographic applications, since natural language translation leaves plenty of room
at the trial and appellate level in state and federal court. At Stanford, she currently for variation. Also, because there are frequent errors in legitimate automatic text
teaches the Cyberlaw Clinic, one of the nation’s few public interest law and technology translations, additional errors inserted by an information hiding mechanism are
litigation clinics. plausibly undetectable and would appear to be part of the normal noise associated
Granick continues to consult on computer crime cases and serves on the Board of with translation. Significantly, it should be extremely difficult for an adversary to
Directors of the Honeynet Project, which collects data on computer intrusions for the determine if inaccuracies in the translation are caused by the use of steganography or
purposes of developing defensive tools and practices and the Hacker Foundation, a by perceptions and deficiencies of the translation software. A prototype, Lost in
research and service organization promoting the creative use of technological resources. Translation (LiT), will be presented.
Christian Grothoff is a Ph.D. Student in Computer Sciences at UCLA. His research areas are
Surgical Recovery from Kernel-Level Rootkit Installations
programming languages and security with focus on privacy enhancing technologies. He
Julian Grizzard
started and maintains the GNUnet, the GNU project for secure peer-to-peer networking
Conventional wisdom states that once a system has been compromised, it can no with focus on anonymous file-sharing. Together with Krista Bennett he started the Lost in
longer be trusted and the only solution is to wipe the system clean and reinstall. This Translation (LiT) project, which explores new ideas in text steganography.
talk goes against the grain of conventional wisdom and asks are there more efficient
ways to repair a system other than complete reinstallation. Specifically, this talk will
36
The Insecure Workstation II `bob reloaded` He speculated a variety of reasons for this including genetics and social factors, and
Deral Heiland his comments created a stir among academics and the general public. While the
The insecure workstation II `Bob Reloaded`. Exploring attack vectors within Microsoft accuracy of his statements are suspect, he raises an intriguing question in light of
desktop systems. A close look at third party applications that still suffer from api call declining female enrollment in computer science and engineering degree programs at
vulnerabilities and how attackers can use these vulnerabilities to escalate there rights MIT and other universities. And if women are falling out of these fields, what is
to system level . Also will be exploring this year’s security research into “attacks happening to the population of female hackers and security professionals? What
against the local desktop login”. Demonstration of desktop access without logging in. have their experiences been up to this point? Research suggests men dominate the
underground, and sociological research suggests this is attributable to social
Deral Heiland serves as a Network Security Analyst for a fortune 500 company. Mr. Heiland
practices rather than innate sex differences. However, the female hackers’ perspective
manages application and network vulnerability testing, Intrusion Detection Systems,
has not been well documented. Furthermore, the existing literature on this issue is
controls firewall security and anti-virus efforts. With over a decade of work in the
based largely on anecdotal rather than empirical evidence. As such, it is necessary to
Information Technology field, Mr. Heiland has obtained several certifications including:
examine the gendered experiences of hackers to expand our knowledge of how these
CISSP, SSCP, CCNA, CWLSS, and CNE5.
experiences impact individuals and their behavior.
Your Defense is Offensive The purpose of this talk is to introduce my research agenda to study male and
hellNbak, Resident Asshole, Nomad Mobile Research Center female hackers, and examine variations across gender. During the talk, I will lay out
(NMRC) fundamental theoretical concepts used to discuss the different experiences of men
and women on and off-line. Then I will introduce my research proposal and call for
Every Corporation in the world has run out and purchased IDS, Patch Mangement and
interested individuals to participate in this study. Throughout the presentation, the
other products that are selling security. This talk will outline ways that these so called
audience is welcome to share their personal feelings, beliefs, and knowledge about
“security products” can actually be used against an organization. Organizations
gender and hacking. The start of an open dialogue, whether formal or informal,
should fear their poorly implemented “Security”
regarding gender differences in hacking is critical to advance our understanding of
hellNbak has been around the IT Security industry for 13 years and is the resident trouble this important issue for information technology and the sciences.
maker of NMRC. In his spare time he is the founder and moderator of VulnWatch
Tom Holt is completing his Ph. D. in Criminology and Criminal Justice at the University of
(www.vulnwatch.org) and a data mangler for OSVDB (www.osvdb.org).
Missouri-Saint Louis. He is also an Assistant Professor in the Department of Criminal
No Women Allowed? Exploring Gender Differences In Justice at the University of North Carolina-Charlotte specializing in crime and technology.
Hacking Much of his graduate career has been spent examining computer crime and cybercrime,
Thomas J. Holt, A.B.D., Department of Criminal Justice, especially hackers and hacking. His dissertation research examines the elements that
University of North Carolina-Charlotte; currently affiliated compose the hacker subculture, as well as its’ social organization through multiple data
with the Department of Criminology and Criminal Justice at sources. Tom has collected various materials to that end, including interviews with active
hackers. His primary goal is to understand various social aspects of hacking and the
the University of Missouri-Saint Louis
computer underground from the hacker’s perspective.
The President of Harvard University, Lawrence H. Summers, recently suggested the
lack of women in the sciences is due to innate differences between men and women.
37
 Meme Mining for Fun and Profit appears in SysAdmin, Security Administrator, Windows Web Solutions, Windows IT Pro,
Broward Horne, Consultant Texas Computing and Computer Currents magazines. He is also author of “Open Source
Security Tools” published by Addison Westley in 2004. Type “Tony Howlett” into Google
Technology trends are treacherous. Should you learn java or visual basic? Pay for
to get additional references.
Windows or download Linux? Will that investment in Bluetooth pay off? Or will you
get suckered by a faddish book written by a fading technology guru? The Next Generation of Cryptanalytic Hardware
You can’t know the future (yet), but you can make educated guesses and tilt the David Hulton, Dachb0den Labs
odds in your favor. Meme Miner is a simple program for trend tracking. Its power lies
Encryption is simply the act of obfuscating something to the point that it would take
in the business and social bandwidth concepts behind its creation.
too much time or money for an attacker to recover it. Many algorithms have time
Meme Miner shows current technology trends, but also gives an historical
after time failed due to Moore’s law or large budgets or resources (e.g.
perspective of their past. You will NOT get a lesson in HTTP hacking in this session,
distributed.net). There have been many articles published on cracking crypto using
but you will get practical and valuable business concepts to help survive (and
specialized hardware, but many were never fully regarded as being practical attacks.
perhaps prosper) in the next technology upheaval.
Slowly FPGAs (Field Programmable Gate Arrays) have become affordable to
Broward Horne is a software developer with a diverse background, including several years consumers and advanced enough to implement some of the conventional software
as an electronic technician at Litton and Teradyne and as a sysadmin at a major University. attacks extremely efficiently in hardware. The result is performance up to hundreds of
Broward also has a business background, doing contract work for the United States times faster than a modern PC.
Department of Transportation on experimental pen-based systems, early wireless LANs This presentation will provide a walk through on how FPGAs work, review their
and two-dimension barcoding.
past applications with crypto cracking, present basic tips and pointers to developing
GeoIP Blocking, A Controversial But (Sometimes) Effective a fast and efficient crypto cracking design, discuss overclocking FPGAs, and analyze
Approach the future growth of FPGA hardware and it’s relation to current crypto ciphers. Then,
Tony Howlett, President, Network Security Services, Inc. a new open source DES cracking engine will be released and demonstrated which is
able to crack windows Lanman and NTLM passwords at a rate over 600,000,000
What if I told you, than in a few minutes and at no extra cost, you could be blocking crypts per second on a single low-cost Virtex-4 LX25 FPGA and provide brute-force
up to 30% of all malware headed for your network? Sound too good to be true? performance comparable to lookups on a hard-drive based rainbowtable attack.
Well it doesn’t work for everyone and there are a lot of caveats, but it can be an
David Hulton is one of the founding members of Pico Computing, Inc., a manufacturer of
effective way to eliminate a large portion of the malicious traffic aimed at your
compact embedded FPGA computers and dedicated to developing revolutionary open
network. In this talk we will cover why you would want to GeoIP block and why it
source applications for FPGA systems. He is also one of the founding members of
might not be a good choice for you. We will then get into the mechanics with actual
Dachb0den Research Labs, a non-profit security research think-tank, is currently the
IP blocks given and strategies for both full and limited GeoIP blocking. You have
Chairman of ToorCon Information Security Conference and has helped start many of the
nothing to lose and may gain a valuable tool in your network security arsenal.
security and unix oriented meetings in San Diego.
Tony Howlett is President of Network Security Services, Inc. He was previously founder
and CTO of InfoHighway Communications Corp., a leading ISP and CLEC. He is a
frequent speaker and writer on security, the Internet and technology. His articles have
38
Credit Cards: Everything You have Ever Wanted to Know 3. Realtime visualizations of large network scans
Robert “hackajar” Imhoff-Dousharm, Merchant Credit Card Building on Cheswick’s work, I will demonstrate tools for enhancing our
Consultant, Hackajar Group comprehension of the torrential floods of data received during large scale
Identity theft is at an all time high. With businesses, universities and banks being network scans. By leveraging the 3D infrastructure made widely available for
compromised the threat is real right now. The media covers these area’s but miss one gaming purposes, we can display and animate tremendous amounts of data
important location that your most susceptible to fraud, everywhere you swipe your for administrator evaluation.
credit card. We will pull out all the stops to help you understand credit cards, their 4. A High Speed Arbitrary Tunneling Stack
history and how to protect yourself. Ever wonder what was in the magnetic strip of a Expanding on last year’s talk demonstrating live streaming audio over DNS, I
card? Where that information goes? Who keeps your personal information, and for will now demonstrate a reliable communication protocol capable of scaling
how long? Who is data mining this information? Who do they sell it to? All these up to streaming video over multiple, arbitrary, potentially asymmetric
questions and more will be answered in this presentation Defcon 11 we talked about transports.
social engineering to steal your credit card information. Defcon 12 we gave a live Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya’s
example on stealing credit card data from merchant networks. Now we will show you Enterprise Security Practice, where he works on large-scale security infrastructure. Dan’s
what that information is, and how to protect yourself against fraud. experience includes two years at Cisco Systems designing security infrastructure for large-
scale network monitoring systems.
Robert “hackajar” Imhoff-Dousharm has worked in computer security for over 6 years.
He is best known for his work on the ultra-fast port scanner scanrand, part of the
He has spent 2-1/2 years in the merchant credit card security field. Last year he has
“Paketto Keiretsu”, a collection of tools that use new and unusual strategies for
started his own credit card security consulting firm to focus more on securing businesses
manipulating TCP/IP networks. He authored the Spoofing and Tunneling chapters for
one client at a time. He also works in a SOC for a large client, insuring data integrity,
“Hack Proofing Your Network: Second Edition”, was a co-author of “Stealing The
availability and confidentiality. Robert has spoken at Defcon 11 & 12 in both social
Network: How To Own The Box”, and has delivered presentations at several major
security and network security of credit cards in merchant environments.
industry conferences, including Linuxworld, DefCon, and past Black Hat Briefings.
Black Ops 2005 Dan was responsible for the Dynamic Forwarding patch to OpenSSH, integrating the
Dan Kaminsky majority of VPN-style functionality into the widely deployed cryptographic toolkit. Finally,
he founded the cross-disciplinary DoxPara Research in 1997, seeking to integrate
Another year, another batch of packet related stunts. A preview: psychological and technological theory to create more effective systems for non-ideal but
1. A Temporal Attack against IP very real environments in the field.
It is commonly said that IP is a stateless protocol. This is not entirely true. We
will discuss a mechanism by which IP’s limited stateful mechanisms can be Passive Host Auditing
exploited to fingerprint operating systems and to evade most intrusion jives
detection systems. Traditionally, IDS systems such as snort have been used to monitor attacks against
2. Application-layer attacks against MD5 or within a network. This talk will give the outline for turning those tools around and
We will show how web pages and other executable environments can be instead using them to audit networks. We will discuss how to identify OS’s, tell who is
manipulated to emit arbitrarily different content with identical MD5 hashes. patching, what services are being deployed (perhaps insecurely), and other methods
39
 for policy enforcement. This discussion is ideally suited for administrators and security Nick Farr spent the first decade of his career serving in non-profit management roles in
professionals in open and/or decentralized environments, especially those charged academia, public radio, print journalism and computer recycling. While pursuing a new
with auditing the network. While several signatures and sample scripts will be career in Public Accounting, he continues to serve in his role as Treasurer of the Hacker
discussed during this talk, this is a relatively new area of auditing and network Foundation which he co-founded.
security so questions, comments and volunteers will all be welcome. Jennifer Stisa Granick joined Stanford Law School in January 2001, as Lecturer in Law and
Jives has been doing computer security at a major research university for over 5 years. Executive Director of the Center for Internet and Society (CIS). She teaches, speaks and
After initially specializing in host security he has moved into network security. In this area writes on the full spectrum of Internet law issues including computer crime and security,
he has written several evidence gathering scripts. Recently he has made a hobby out of national security, constitutional rights, and electronic surveillance, areas in which her
using the network to answer questions about the host. expertise is recognized nationally.

Doing Not-For-Profit Tech: A Linguistic Platform for Threat Development

The Hacker Foundation Year in Review Ben Kurtz, Imperfect Networks
Jesse Krembs, President, The Hacker Foundation Sick of hand-coding each and every exploit? The past few years have seen the rise of
Nick Farr (THF Treasurer) some generalized frameworks for the exploitation of vulnerabilities, but none of them
Emerson Tan (THF Vice President) are general-purpose enough to accommodate arbitrary hardware and network
Frazier Cunningham (THF Secretary) protocols. By applying programming language theory to the development of new
Jennifer Granick (THF Legal Affairs Officer) networks attacks, we can create next-generation platforms capable of quickly
James Schuyler (THF East Africa Region Coordinator) handling arbitrary protocols and hardware, and exponentially reducing threat
Christian Wright & William Knowles (THF Board Members) development time. The advances made in compilers in the past decades allow us to
& other select members of the Foundation Board. divorce ourselves from the tedious mechanics of custom-crafting network attacks and
Fresh from a year of grappling with Tsunamis, the IRS and building IT in Uganda, focus only on what we want the attack to do.
members of The Hacker Foundation will tell the story of their first year as a federally This new platform has serious implications for both good (rapidly adding 0-day
recognized non-profit organization while providing practical insight on doing charitable exploits to your lab’s regression testing with no programming knowledge) and for
IT work throughout the world. Tips and tricks on everything from funding for free evil (allowing people with no programming knowledge to wield a database of
software projects to keeping a dust storm from killing your laptop will be presented. malevolence). The Linguistic Platform can simultaneously accommodate both the
The Hacker Foundation serves as a research and service organization to promote generation of network traffic and the decomposition of packet captures for
and explore the creative use of technological resources across frontiers with a subsequent modification and playback. Using this system, a user can capture a
global outlook. malicious traffic stream in Ethereal, modify it as needed, and play it back on a live
network. By deploying several clustered systems, it can even play back multi-node
Jesse Krembs is the Head Defcon Speaker goon, and has been involved with Defcon since
conversations, such as a man-in-the-middle attack. The design of new threats and the
1998. He is co-founder of the Hacker Foundation and its current president. He travels
organization of threats into a database are also drastically simplified by this system.
widely doing radio survey work & wireless installation for Fortune 500 companies. He
In this talk, I will introduce a simple and incredibly powerful approach to the
restores classic motorcycles and naps in his spare time.
scripting, capture, and playback of malicious network traffic, and detail the design
40
goals and considerations of a Linguistic Platform for Threat Development. Some strong working knowledge of TCP/IP, C programming, assembly, and OS/Application
familiarity with linguistics or finite automata will be helpful, but is not required. fingerprinting techniques.
Ben Kurtz is a principal researcher and developer of threat generation and analysis Robert E. Lee serves as Dyad Labs’s CEO. Robert’s primary roles include technology and
technologies at Imperfect Networks. Earlier, he earned his Masters of Computer Science by software development, security research, and education program initiatives. Robert also
applying language theory to the visual analysis of probe data under the DARPA DASADA serves as the Director of Projects & Resources for the Institute for Security and pen
program, but has since discovered that it’s much easier to break something than to fix it. In Methodologies. Robert is a key contributor to the Open Source Security Testing
other incarnations, he has worked on critical systems for power plants, passenger jets, and Methodology Manual, Unicornscan, and Cruiser (no URL yet) projects. Robert maintains
insurance companies. If you knew him better, this would make you nervous. his OSSTMM Professional Security Tester (OPST) & OSSTMM Professional Security Analyst
(OPSA) certifications from the Institute for Security and Open Methodologies (ISECOM).
Introducing Unicornscan - Riding the Unicorn
Jack C. Louis is a Senior Security Researcher for Dyad Labs. He has a background in core
Robert E. Lee, Founder, Dyad Labs
networking technologies, systems programming, and electronics. Jack is the lead
Jack C. Louis, Founder, Dyad Labs
programmer behind Unicornscan, a distributed data information engine for the the
Unicornscan is an open source (GPL) tool designed to assist with information OSACE project. Jack is also the lead author of cruiser, a web application testing tool in the
gathering and security auditing. This talk will contrast the real world problems we’ve OSACE suite. Jack is also an ISECOM OPST & OPSA Certified Instructor.
experienced using other tools and methods while demonstrating the solutions that
Unicornscan can provide. The Dark Side of Winsock
We will use Unicornscan to collect information from large networks, data mine the Jonathan Levin
collected information, and test systems for susceptibility to specific vulnerabilities. The Winsock SPI, or Service Provider Interface, has been a part of Winsock since the
Some of the more interesting content includes: advent of version 2.0. It enables providers to extend the Winsock API transparently,
• An introduction to the Scatter Connect method of TCP Connection State by installing their own hooks and chains to application API calls. However, its
information tracking. formidable capabilities are not put to widespread use... aside from spyware
• How to get more mileage out of the information contained inside the TCP (remember Kazaa’s “sporder.dll”?).
stream for OS and possibly application fingerprinting. The talk will discuss (and demonstrate) some of the more insidious uses of the SPI.
• How to avoid the kernel fixing packets that we have specifically created to be From collecting connection statistics, through eavesdropping on data, or rerouting
invalid. connections, with the application remaining totally oblivious!
• How to deliver platform specific exploits using just the information from one Jonathan Levin has been involved with Information Security since the mid ‘90’s. He has
Target response packet (SYN/ACK). consulted for over 8 years (mostly in Israel), and trained numerous IT and security related
• How to take stable working exploits and use Unicornscan as a delivery agent. courses, in academic as well as technical fora.
During the talk we will release a new DEFCON specific version of Unicornscan that Johnny is an independent security consultant and trainer, and has worked closely with
contains many enhancements that we will demonstrate during the talk. The DEFCON many companies, e.g. Checkpoint, NDS and M-Systems. He has first encountered the
version will also contain a couple of special payload configuration files not included Winsock SPI back in ‘98 (and got to know all too intimately by writing device driver hooks
in the standard release. To get the most out of this talk attendees should have a

41
 over it...), but is surprised to see that, even after almost 7 years, it has gotten little Google Hacking for Penetration Testers
attention, despite its potent features. Johnny Long, Penetration Tester

Death By A Thousand Cuts - Forensics Google Hacking returns for more guaranteed fun this year at Defcon 13! If you
Johnny Long, Penetration Tester haven’t caught one of Johnny’s Google talks, you definitely should. Come and witness
all the new and amazing things that can be done with Google. All new for Defcon 13,
In this day and age, forensics evidence lurks everywhere. This talk takes attendees on
Johnny reveals basic and advanced search techniques, basic and advanced hacking
a brisk walk through the modern technological landscape in search of hidden digital
techniques, multi-engine attack query morphing, and zero-packet target foot printing
data. Some hiding places are more obvious than others, but far too many devices are
and recon techniques. Check out Google’s search-blocking tactics (and see them
overlooked in a modern forensics investigation. As we touch on each device, we’ll
bypassed), and learn all about using Google to locate targets Google doesn’t even
talk about the possibilities for the forensic investigator, and take a surprising and fun
know about! But wait, there’s more! Act now and Johnny will throw in the all new
look at the nooks and crannies of many devices considered commonplace in today’s
“Google Hacking Victim Showcase, 2005” loaded with tons of screenshots (and
society. We’ll look at iPods (and other MP3 players), Sony PSP devices (and other
supporting queries) of some of the most unfortunate victims of this fun, addictive and
personal video products), digital cameras, printers, fax machines, all-in-one devices,
deadly form of Internet nastiness. Think you’re too über to be caught in a Google
dumb phones, “smart” phones, cell phones, various network devices and even
talk? Fine. Prove your badness. Win the respect of the audience by crushing the live
wristwatches, sunglasses, pens and all sorts of other devices that contain potential
Google Hacking contest! Submit your unique winning query by the end of the talk to
evidence. For each device, we’ll look at what can be hidden and talk about various
win free books from Syngress Publishing and other cool gear! Or don’t. Just listen to
detection and extraction techniques, avoiding at all costs the obvious “oh I knew
your friends rave about it. Whatever.
that” path of forensics investigation. All this will of course be tempered with Johnny’s
usual flair, some fun “where’s the evidence” games, and some really cool giveaways. Social Engineering Do’s & Don’ts (A Female Perspective)
Johnny Long is a “clean-living” family guy who just so happens to like hacking stuff. Over Beth Louis (Phen)
the past two years, Johnny’s most visible focus has been on this Google hacking “thing” Social Engineering Do’s and Don’ts is more informative then technical. Over the
which has served as yet another diversion to a serious (and bill-paying) job as a course of the lecture, I plan on going over some information you may not have
professional hacker and security researcher for Computer Sciences Corporation. In his thought of in your pursuits. Such as, telephone surveys, the importance of being well
spare time, Johnny enjoys making random pirate noises (“Yarrrrr!”), spending time with
informed, along with basics such as the importance of both phone & social etiquette,
his wife and kids, convincing others that acting like a kid is part of his job as a parent,
surveillance, going undercover, corporate fraud and of course identity theft. There will
feigning artistic ability with programs like Bryce and Photoshop, pushing all the pretty
be live demonstrations & explanations. This is the talk for everything you wanted to
shiny buttons on them new-fangled Mac computers, and making much-too-serious
know about social engineering but were to technical to ask.
security types either look at him funny or start laughing uncontrollably. Johnny has written
or contributed to several books, including “Google Hacking for Penetration Testers” from Phen has been doing social engineering since the late 1980’s. Starting off by running a
Syngress Publishing, which has secured rave reviews and has lots of pictures. BBS and convincing the local ISP to give her free Internet usage to “working “ at West
Point Military Academy. She has used her skills to get into places such as the World Bank,
Lockheed & Martin, AT&T, along with the Bank of England & other corporate and
financial institutions. Although not a member, Her current affiliations are with The Ninja
42
Strike Force on behalf of Cult of the Dead Cow, which whom she has been working on Major Malfunction is a security professional by day, and a White Hat hacker by night. He
projects with for the past 4 years. She enjoys red lipstick, black skirts and strong tequila. is a good example of what happens to TheGoodGuysTM when you force them to travel,
eat junk food, drink too much coffee, and stay in cheap hotels. If your hotel has a hole in
The Six Year Old Hacker: No More Script Kiddies. it, Major Mal will find it... He has been involved in DEFCON, as a Goon, since DC5, and
Kevin McCarthy the computer industry since the early Eighties. He was co-founder of the world’s first full
Computer use in elementary schools is problematic. Seldom are computers well time Internet pirate radio station, InterFACE, and wrote the first ever CD ripper,
integrated into the general curriculum. Often, they are used merely as instructional ‘CDGRAB’, disproving the industry lie that computers could not read music CDs. In his
surrogates to “drill” skills. Particularly disturbing is the lack of exploration of the spare time, he likes to play with guns. Big guns. Little guns. As long as it goes BANG, it

computer itself, and the culture of technology. Programming can teach vital problem will be his friend, and he will love it, care for it, and feed it plenty of ammo. Let him
fondle your weapon, and you’ll have a friend for life...
solving skills, project management, respect for others work, and the value of
collaboration. So why not cultivate the methods and ethics of hacking in young Visual Security Event Analysis
children? For the last 2 years I have been doing just that. Working with 6 to 12 year Raffael Marty, Senior Security Engineer, ArcSight Inc
olds in a small Montessori school, I have begun to develop a program to encourage
curiosity in our created, technological world, in the same way that their teachers In the network security world, event graphs are evolving into a useful data analysis
encourages such curiosity in the natural world. I would like to open a discussion on tool, providing a powerful alternative to reading raw log data. By visually outlining
the value of this approach, and the methods I employ. Perhaps I can encourage others relationships among security events, analysts are given a tool to intuitively draw
to help cultivate the next generation of hackers. conclusions about the current state of their network and to respond quickly to
emerging issues.
Kevin McCarthy has worked as a system and network administrator 15 years. He is
I will be showing a myriad of graphs generated with data from various sources,
currently a network and security consultant. He teaches programming to elementary
such as Web servers, firewalls, network based intrusion detection systems, mail
school children and encourages their natural tendencies to hack.
servers, and operating system logs. Each of the graphs will be used to show a certain
Old Skewl Hacking - InfraRed property of the dataset analyzed. They will show anomalous behavior,
Major Malfunction misconfigurations and simply help document activities in a network.
As part of this talk, I will release a tool tool that can be used to experiment with
Infra Red is all around us. Most of us will use an Infra Red controller on more or less a
generating event graphs. A quick tutorial will show how easy it is to generate graphs
daily basis, to change the TV channel, or open a car or garage door, but how often
from security data of your own environment.
have you thought about how it actually works? This talk will describe not only how to
analyse the signals being sent by your remote, but also how to use that information Raffael Marty is a senior security engineer with ArcSight, the global leader in Enterprise

to find hidden commands and reveal functions you didn’t even know your systems Security Management (ESM). He initiated the Content team, holding responsibility over
all the content in ArcSight’s product, ranging from correlation rules to categorizations,
had. You will learn how to brute force garage doors, car doors, hotel pay-per-view TV
vulnerability mappings, to visualizations and dashboards. Before joining ArcSight, he was
systems, take over LED signs, vending machines and even control alarm systems,
a member of the Global Security Analysis Lab at IBM Research, where he participated in
using cheap or home made devices and free software...
various intrusion detection related projects. His Master’s thesis focused on correlating

43
 events and testing intrusion detection systems. The resulting tool he created, Thor, can be the New Zealand Supercomputer Centre, wardriving-gps-visualization software that works in
used to generate correlation tables for multiple, heterogeneous IDS sensors. . the southern hemisphere, and spreading debian and python bigotry.

Meet the Fed ATM Network Vulnerabilities

Jim Christy and various other Feds Robert Morris, Former Chief Scientist, NSA
A unique opportunity to surrender and confess all of your crimes to law enforcement When was the last time you visited an actual human being to withdraw some
agents from multiple federal and possibly international agencies. The “Meet the Fed” spending money? In a world where most people visit computers for cash, ATM
Panel is again chaired by Special Agent Jim Christy, Director of the Department of Networks have been traditionally thought of as a secure haven. Financial data theft is
Defense Cyber Crime Institute. Jim will have on his panel representatives from: more of a reality than ever, but the backbone for the majority of cash to consumer
• Department of Defense Cyber Crime Center (DoD) transactions is not a target. I will show you why that is about to change. During my
• The Internal Revenue Service (IRS - always a favorite) years at the NSA, I witnessed the growth of the electronic banking industry and
• General Accounting Office (GAO) observed many poor security design decisions as the ATM network was built. The
• US Postal Service means for authentication, the protection of data, and the methods for transferring
• Federal Bureau of Investigation (FBI) sensitive information are just the tip of the iceberg. The ATM network is the next
• National Security Agency (NSA) (2) financial hacking pot of gold.
If you don’t want to confess yourself, you can certainly drop a dime on one of the Robert Morris received a B.A. in Mathematics from Harvard University in 1957 and a M.A.
other DEFCON attendees. in Mathematics from Harvard in 1958. He was a member of the technical staff in the
research department of Bell Laboratories from 1960 until 1986. On his retirement from
Trust Transience: Post Intrusion SSH Hijacking
Bell Laboratories in 1986 he began work at the National Security Agency. From 1986 to
Metalstorm
his (second) retirement in 1994, he was a senior adviser in the portion of NSA responsible
Trust Transience: Post Intrusion SSH Hijacking explores the issues of transient trust for the protection of sensitive U.S. information.
relationships between hosts, and how to exploit them. Applying technique from anti-
forensics, linux VXers, and some good-ole-fashioned blackhat creativity, a concrete Hacking the Mind (Influence and NLP)
example is presented in the form of a post-intrusion transparent SSH connection Mystic
hijacker. The presentation covers the theory, a real world demonstration, the Do you ever find yourself wondering if good social engineers and highly influential
implementation of the SSH Hijacker with special reference to defeating forensic people are just born that way? Well, you might be surprised to find out that any
analysis, and everything you’ll need to go home and hijack yourself some action. human skill can be duplicated including being a master at influence. This is what
Metalstorm is a deathmetal listening linux hippy from New Zealand. When not furiously forms the basis for a field of study known as NLP or Neuro-Linguistic-Programming.
playing air-guitar, he works for linux integrator and managed security vendor Asterisk in In this talk I will give an introduction to what NLP is and how it is used and will also
Auckland, New Zealand. Previous work has placed him in ISP security, network engineering, provide you with some tools to help you better understand how you and others are
linux systems programming, corporate whore security consultancy and a brief stint at the influenced and how to exploit it.
helm of a mighty installation of solaris tar. Amongst his preoccupations at the moment are

44
Mystic is a strong believer that hacking at its core has little to do with computers and technology products they use really do. Schoen comes to EFF from Linuxcare, where he
more to do with how you chose to live your life. His interests go from electronic music to worked for two years as a senior consultant. While at Linuxcare, Schoen helped create
poetry to encryption to designing Texas Hold’em AIs. the Linuxcare Bootable Business Card CD-ROM.

Wendy Seltzer is Special Projects Coordinator with the EFF, specializing in intellectual
Ask EFF: The Year in Digital Liberties
property and free speech issues. As a Fellow with Harvard’s Berkman Center for Internet
Annalee Newitz, Policy Analyst, Electronic Frontier Foundation
& Society, Wendy founded and leads the Chilling Effects Clearinghouse, helping Internet
Wendy Seltzer, Special Projects Coordinator, Electronic Frontier
users to understand their rights in response to cease-and-desist threats. Prior to joining
Foundation
EFF, Wendy taught Internet Law as an Adjunct Professor at St. John’s University School of
Kevin Bankston, Staff Attorney, Electronic Frontier Foundation
Law and practiced intellectual property and technology litigation with Kramer Levin
Kurt Opsahl, Staff Attorney, Electronic Frontier Foundation Naftalis & Frankel in New York.
Seth Schoen, Staff Technologist, Electronic Frontier Foundation
Kevin Bankston, an attorney specializing in free speech and privacy law, is the EFF’s Equal
Get the latest information about how the law is racing to catch up with technological Justice Works/Bruce J. Ennis Fellow for 2003-05. His fellowship project focuses on the
change from staffers at the Electronic Frontier Foundation, a digital civil liberties group impact of post-9/11 anti-terrorism laws and surveillance initiatives on online privacy and
fighting for freedom and privacy in the computer age. This session will include updates free expression. Before joining EFF, Kevin was the Justice William J. Brennan First
on current EFF issues such as DRM, file-sharing, spyware, the USA-Patriot Act, and Amendment Fellow for the American Civil Liberties Union in New York City. At the ACLU,
bloggers’ rights. But over half the session will be given over to question-and-answer, Kevin litigated Internet-related free speech cases, including First Amendment challenges
so it’s your chance to ask the panelists questions about issues important to you. to both the Digital Millennium Copyright Act (Edelman v. N2H2, Inc.) and a federal

Annalee Newitz is EFF’s Policy Analyst. She writes policy recommendations and white statute regulating Internet speech in public libraries (American Library Association v. U.S.).

papers, including recent papers on the dangers of EULAs, the problems with anti-spam
Causing the Law
regimes, and how to blog anonymously. Her special areas of interest are free speech,
Mark Pauline, founder of SRL
anonymity, network regulation, and expanding the public domain. The recipient of a
Knight Science Journalism Fellowship in 2002, she writes a syndicated weekly column Survival Research Laboratories (SRL) was founded by Mark Pauline in November
called Techsploitation and is a contributing editor at Wired magazine. 1978. Since its inception, SRL has operated as an organization of creative technicians
Kurt Opsahl is a Staff Attorney with the EFF focusing on civil liberties, free speech and
dedicated to re-directing the techniques, tools, and tenets of industry, science, and the
privacy law. Before joining EFF, Opsahl worked at Perkins Coie, where he represented military away from their typical manifestations in practicality, product or warfare.
technology clients with respect to intellectual property, privacy, defamation, and other Since 1979, SRL has staged over 45 mechanized presentations in the United States
online liability matters, including working on Kelly v. Arribasoft, MGM v. Grokster and and Europe. Each performance consists of a unique set of ritualized interactions
CoStar v. LoopNet. For his work responding to government subpoenas, Opsahl is proud between machines, robots, and special effects devices, employed in developing
to have been called a “rabid dog” by the Department of Justice. themes of socio-political satire. Humans are present only as audience or operators.
More information can be found at www.srl.org
Seth Schoen created the position of EFF Staff Technologist, helping other technologists
understand the civil liberties implications of their work, EFF staff better understand the Mark Pauline passion is legal, but only in the places he has never been. Follow him
underlying technology related to EFF’s legal work, and the public understand what the through his history of causing the law.

45
 Bypassing Authenticated Wireless Networks No, not the standard issue “OpenBSD is uber secure, Windows sucks” discussion.
Dean Pierce Rather, I’ve been focusing on the long term impact of each of these operating
Brandon Edwards systems on the security of enterprise networks and the Internet as a whole. Any
Anthony Lineberry reasonable tech geek can be trained to lock down a host. Give them a checklist and
As the demand for mobile internet access increases, more and more public wireless some procedures and lock it down and *boom* a secure host. However, while that
access points are becoming available for general usage. Unfortunately, as awareness host may be secure today, what are the differences in long term security between the
of these access points increases, some companies have been capitalizing on the idea, major operating systems.
charging monthly and hourly rates. As it turns out, a lot of the long term security issues revolve around the
This talk discusses methods of silently bypassing current implementations of development method used to develop the OS. Windows is designed as one big
authenticated wireless networks. An automated proof of concept tool is released and system, and to some extent the BSD’s are as well. But Linux... Linux is designed with
explained. Some theoretical methods of authentication that might be implemented in duct tape in mind. Linux distros are held together with spit and tape, and the
the future are also discussed. ramifications on security are dire. I’ve been gathering data from mail lists, looking at
code, and talking to people running big systems in an attempt to figure out how bad
Both Dean and Brandon are undergraduates in computer science at Portland State
things really are. I’m sure many of you will find this talk inflammatory, and that’s a
University. Both have very strong interests in the fields of wireless communications,
good thing. “Knowing is half the battle.”... even if you don’t want to hear it.
network security, and cryptanalysis. They are also active members of pdx2600.
Anthony currently works for Logic Library Inc as a software engineer developing static The Shmoo Group is a non-profit think-tank comprised of security professionals from
binary analysis software. He has been active in computer and network security since early around the world who donate their free time and energy to information security research
high school. His main interests lie in kernel development, binary reverse engineering, and and development. They get a kick out of sharing their ideas, code, and stickers at
embedded systems. DefCon. Whether it’s mercenary hacking for CTF teams, lock-picking, war-flying, or
excessive drinking, TSG has become a friendly DefCon staple in recent years past. Visit
Suicidal Linux www.shmoo.com for more info.
Bruce Potter, the Shmoo Group
Shmoo-Fu: Hacker Goo, Goofs, and Gear with the Shmoo
I spend a lot of my time shooting at random targets. Last year I was on a Bluetooth
Bruce Potter, Beetle, CowboyM, Dan Moniz, Rodney Thayer,
holy war, trying to raise awareness of Bluetooth security (or lack therein). My talk at
3ricj, Pablos all speaking on behalf of the Shmoo Group
BH 04 was actually a two day experiment using Bluetooth to track attendees around
the conference (code available from bluetooth.shmoo.com). While the technology Last Summer, they dared to make a Wi-Fi sniper rifle that fried their eyeballs and
was simple, the message needed to get out. Bluetooth enabled phones are dangerous scared the crap out of UPS. They built a robot that owned your Mom’s access point and
and are flying under the security industry’s radar screen. showed you the password to her underwear drawer, too. Last Winter, they ran up a
Fast forward a year, and the situation is much better. Bluetooth security is getting $3000 bar tab at a nightclub in D.C. with several hundred ShmooCon attendees—then
more and more coverage and research (www.trifinite.org is a great site for BT donated just as much to EFF for shits and grins. This DefCon, the Shmoo Group brings
security issues), and people are (finally) getting scared. So I decided to shift gears into you a slew of hacker goo, goofs, and gear to go with your shiny new “Notice to Law
a bigger hornet’s nest... The holy war of Operating System security. Enforcement” stickers. Can you resist? Probably. Will you? Nope. Why? Because they

46
have cool shit all over again. IDN fallout and homograph attacks on personal identities Fabio Ghioni is advisor to several Multinational Corporations as well as Governments. He
thanks to 3ricj. Hot models wearing spy actionwear designed by Pablos—fresh from is the leading expert in the field of information security, competitive intelligence and
his ninja lair of alien technology. Revving up rainbow tables with Dan “Don’t Be intrusion management in an asymmetric environment. As consultant to several different
Crazy” Moniz. New Wi-Fi kung-fu with “Rogue Squadron” and EAP-peeking by Beetle. Government institutions he has been the key to the solution of several terrorism cases in
Rodney Thayer explains how to blow $1 MILLION on commercial security shtuff and the past. His key fields of research range from mobile and wireless competitive security to

still get owned by a grade-school punk addicted to Xbox. CowboyM returns to show the classification of information and forensics technologies applied to identity
management and ambient intelligence.
off new geeky tactical gear designed for close-quarters wireless combat—do NOT try
this at home, kids, and certainly not inside a Faraday cage. Finally, because you’ve all Pen-testing the Backbone
been waiting for it, Bruce Potter pours gasoline on his security model self and lights a Raven, NMRC
fucking match! Mo’ better and with no blow-up dolls, the Shmoo Group returns to
rant on recent projects and review new ones. Rated R for strong violence, adult Despite its crucial importance, the network backbone is often ignored or exempted
situations, disturbing images, nudity, language, and epic warfare. from security testing. This talk will cover how to sanely and effectively perform a pen-
test against routers, switches, and similar network infrastructure equipment. Avenues
Assymetric Digital Warfare of attack will range from the physical to the routing protocol-based, from the local to
Roberto Preatoni (aka Sys64738) the remote, and suggested mitigation measures will also be discussed.
Fabio Ghioni Raven splits her time between network engineering and security testing, and often tries
The speech will be intended to let the attendees understand to fuse the two, to varying degrees of success. She is equally fond of building networks
where and how the digital conflicts are conducted today for ISPs and breaking them nicely. In her Copious Spare Time, she contributes to network
but we will dig deeply into the future. We will take as security books, mangles for OSVDB, kicks other people’s crypto implementations, and
example the US Army program F.C.S. (Future Combat enjoys ill-advised adventures.
System) as the perfect example on how a developed
superpower might carry on a super-advanced war Licensing Agreements 101: The Creative Commons License
program, all based on combat computer systems and Jim “FalconRed” Rennie
networks that control unmanned vehicles as well as wheeled combat This talk will give some quick background on the Creative Commons license—why
drones, to discover at the end that the adoption of such systems might introduce exactly it was created and who created it. More importantly, this talk will dissect the
conceptual vulnerabilities that a wise enemy might exploit by means of hacking. “lawyer” version of the license and explain some of the key terms hidden from the
Roberto Preatoni (aka Sys64738): 37, is the founder of the defacement/cybercrime average user. Finally, this talk will discuss ways to maximize your protection under the
archive Zone-H (www.zone-h.org)as well as its key columnist. He’s also CEO of an license and protect your content from possible legal pitfalls.
International ITsec company (Domina Security). He has been globetrotting, lecturing in Jim “FalconRed” Rennie is currently a law student in New York City. Previously, he spent
several ITsec security conferences, including Defcon in the US. He has been interviewed by several years as a Software Engineer at two Seattle-area companies. While in Seattle, he
several print and online newspapers where he shares his experiences relating to cyberwar met up with the infamous GhettoHackers, which probably shortened his life expectancy by
and cybercrimes. A man with different opinions than the usual. several years. Jim has been attending DefCon long enough to know who not to piss off.

47
 Forensic Data Acquisition Tools Why Tech Documentaries are Impossible (And why we
RS have to do them anyway.)
Proper recovery of evidence can be critical to a successful investigation or Jason Scott
prosecution. This talk focuses on the different tools and techniques that are used by Documentaries have a place in telling the history and story of many different cultures
US Law Enforcement to get an uncontaminated copy of digital evidence from a and events, but documentaries about technical subjects tend to run into common
suspect machine. The goal of this presentation is to teach not only how to copy all the problems: too light, too wrong, too hated. Is the patient terminal? Can you create a
data from a suspect machine, but also to instruct on how to make sure that any film that is both informative and of interest to a general audience?
evidence collected can be used in court. Both hardware and software based forensic Having spent 4 years creating a tech documentary of his own on the era of the
acquisition tools will be covered, with the various strengths and weaknesses of each Dial-up Bulletin Board system, Jason Scott of textfiles.com talks about what unique
product discussed. challenges exist in the film medium for telling a highly technical story, as well as what
RS investigates financial fraud within medical environments. Duties include participating choices had to be made throughout production. The talk will be illustrated with
in the execution of search warrants to recover computer base evidence. Because of the sequences from the resultant five and a half hour BBS Documentary Mini-series.
sensitivity of the medical data to be seized and liability issues involved, forensic images of Jason Scott has been full-bore collecting history of BBSes and computer culture for 20
suspect systems must be made quickly, on-site, in production medical environments, with years, with the last four being split equally between his BBS history site textfiles.com and
minimal disruption to patient care. his documentary on Dial-up Bulletin Boards, “BBS: The Documentary”. With over 200
interviews and 250 hours of footage, this project overtook his life for a very long time
Hacking Windows CE and in a very large way. His hobbies include gardening and enjoying civil liberties.
San, NSFocus Corporation & XFocus Team
Security threats to PDAs and mobiles have become more and more serious. This Automation - Deus ex Machina or Rube Goldberg Machine?
presentation will show a buffer overflow exploitation example in Windows CE. It will Sensepost
cover some knowledge about ARM architecture and memory management, the How far can automation be taken? How much intelligence can be embodied in code?
features of processes and threads of Windows CE. It also will show how to write a How generic can automated IT security assessment tools really be? This presentation
shellcode in Windows CE (including some knowledge about decoding shellcode of will attempt to show which areas of attacks lend themselves to automation and
Windows CE with ARM processor), and a live attack demonstration. which aspects should best be left for manual human inspection and analyses.
San is a security researcher, who has been working in the Research Department of SensePost will provide the audience a glimpse of BiDiBLAH - an attempt to
NSFocus Information Technology (Beijing) Co., Ltd for more than three years. He’s also the automate a focused yet comprehensive assessment. The tool provides automation for:
key member of XFocus Team. • Finding networks and targets
His focus is on researching and analysing application security, and he’s also the main • Fingerprinting targets
author of “Network Penetration Technology” (Chinese version book). • Discovering known vulnerabilities on the targets
• Exploiting the vulnerabilities found
• Reporting

48
Roelof Temmingh is the Technical Director of SensePost where his primary function is that based retailer of WarDriving and extended range WiFi hardware and a published author
of external penetration specialist. Roelof is internationally recognized for his skills in the on business and the need for data security, see: McGrawHill/AMACOM, “The Art of the
assessment of web servers. He has written various pieces of PERL code as proof of Turnaround”. Mr. Shuchman is an experienced public speaker both at conferences, TV,
concept for known vulnerabilities, and coded the world-first anti-IDS web proxy and radio.
“Pudding”. He has spoken at many International Conferences and in the past year alone
has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Legal and Ethical Aspects of WarDriving
Briefings. Roelof drinks tea and smokes Camels. Matthew L. Shuchman (“Pilgrim”), Founder & National Security
Advisor, WarDrivingWorld.com
Haroon Meer is currently SensePost’s Director of Development (and coffee drinking). He
Frank Thornton, Blackthorn Systems (“Thorn”)
specializes in the research and development of new tools and techniques for network
Robert V. Hale II, Lawyer
penetration and has released several tools, utilities and white-papers to the security
community. He has been a guest speaker at many Security forums including the Black Hat This is a proposal for a panel discussion on the legality of accessing WiFi signals
Briefings. Haroon doesnt drink tea or smoke camels. without the permission of the owner and will include a review of the legal and ethical
Charl van der Walt is a founder member of SensePost. Charl has a number of years issues presented by freely available WiFi both to the owner of the AP and to the users.
experience in Information Security and has been involved in a number of prestigious Included in the panel will be a presentation of recent cases involving WiFi access,
security projects in Africa, Asia and Europe. He is a regular speaker at seminars and WarDriving, and theft of data by WiFi, as well as a review of the Federal laws that
conferences nationwide and is regularly published on internationally recognized forums cover use and misuse of WiFi including the Electronic Communications Privacy Act
like SecurityFocus. Charl has a dog called Fish. (ECPA) and the Computer Fraud and Abuse Act (CFAA.)
The panel members hope is that by presenting some of the legal and ethical issues
Building WarDriving Hardware Workshop that we can take the first steps towards guidelines for ethical conduct while
Matthew L. Shuchman (“Pilgrim”), Founder & National Security WarDriving (and Bluesnarfing.)
Advisor, WarDrivingWorld.com The panel chairperson and organizer is Matthew L. Shuchman (Pilgrim,) who began
WarDriving is becoming a popular sport among hackers and DEFCON attendees, and as a hacker in the days of punch cards. Mr. Shuchman is a founder of
WiFi site surveying has become an important tool for the IT security professional. This WarDrivingWorld.com, a web-based retailer of WarDriving and extended range WiFi
workshop will describe the basic equipment required for WarDriving and WiFi site hardware and a published author on business and the need for data security, see:
surveying. There will be a brief presentation on the benefits and features of different McGrawHill/AMACOM, “The Art of the Turnaround”.
types of WiFi hardware, adapter cards, chipsets, cables, pigtails, and antennas. The Mr. Shuchman has obtained commitments from two other panel members: Frank
session will include an overview of the design and performance characteristics of Thornton (Thorn) who runs a wireless technology consulting firm, Blackthorn System.
different types of antennas. A primary focus of the workshop will be to show the
Thorn is the co-author of “WarDriving; Drive, Detect, Defend”, and a retired member of
participants how to select the components and parts required and how to construct
the law enforcement community.
their own cantenna (directional) and spider (omnidirectional) antennas.
Robert V. Hale II, San Francisco-based lawyer, author of the recent article”Wi-Fi Liability:
Matthew L. Shuchman (Pilgrim) began his life as a hacker in the days of punch cards,
Potential Legal Risks in Accessing and Operating Wireless Internet,” and advisor to the
ALGOL and FORTRAN. Mr. Shuchman is a founder of WarDrivingWorld.com, a web-

49
 Cyberspace Committee of the California Bar. We are waiting for commitments from at FU teams up with Shadow Walker to raise the bar for rootkit detectors once again. In
least one other potential panel member. this talk we will explore the idea of memory subversion. We demonstrate that is not
only possible to hide a rootkit driver in memory, but that it is possible to do so with a
The NMRC Warez 2005 Extravaganza
minimal performance impact. The application (threat) of this attack extends beyond
Simple Nomad, NMRC
rootkits. As bug hunters turn toward kernel level exploits, we can extrapolate its
NMRC Collective: HellNBak, Disturbing; ertia, Hacker; Weasel,
application to worms and other forms of malware. Memory scanners beware the
Hacker; jrandom, Hacker; MadHat, Hacker
axiom, ‘vidre est credere’ . Let us just say that it does not hold the same way that it
Lock up your children and mid-sized barnyard animals, NMRC is coming to used to.
DEFCON13. From their underground bunker located somewhere in North America,
Sherri Sparks is a PhD student at the University of Central Florida. She received her
NMRC will emerge with your basic shitload of handy tools and toys, geared for
undergraduate degree in Computer Engineering and subsequently switched to Computer
helping the humble hacker in everyday chores. Look for crypto, utilities, and other Science after developing an interest in reverse code engineering and computer security.
hackerish tools to bring your hacker dreams alive. Most of these tools are being She also holds a graduate certificate in Computer Forensics. Currently, her research
presented for the first time at DEFCON. interests include offensive / defensive malicious code technologies and related issues in
Nomad Mobile Research Centre (NMRC) is a hacker collective, and has been digital forensic applications.
around since 1996. NMRC has released numerous papers, advisories, FAQs, and tools
Jamie Butler is the Director of Engineering at HBGary, Inc. specializing in rootkits and
over the years, and believes that hackers have something good to give to
other subversive technologies. He is the co-author and a teacher of “Aspects of Offensive
society.Unfortunately most of the world doesn’t believe in their definition of “good”.
Rootkit Technologies” and co-author of the upcoming book “Rootkits: Subverting the
NMRC has distinguished itself in the realm of hackerdom in the following ways over Windows Kernel” due out late July. He holds a MS in CS from UMBC and has published
other hacker groups: 1) They maintain friends of all hat colors; 2) They were the first articles in the IEEE IA Workshop proceedings, Phrack, USENIX login, and Information
hacker group to spell Centre with an “e” on the end; and 3) They live to hack and hack Management and Computer Security. Over the past few years his focus has been on
to live, unless of course they find free pr0n. Windows servers concentrating in host based intrusion detection and prevention, buffer
overflows, and reverse engineering. Jamie is also a contributor at rootkit.com.
“Shadow Walker”—Raising The Bar For Rootkit Detection
Sherri Sparks DIRA: Automatic Detection, Identification, and Repair of
Jamie Butler, Director of Engineering, HB Gary Control-Hijacking Attacks
Last year at Black Hat, we introduced the rootkit FU. FU took an unprecedented Alexey Smirnov, Student, SUNY Stony Brook
approach to hiding not previously seen before in a Windows rootkit. Rather than Tzi-cker Chiueh, Professor, SUNY, Stony Brook
patching code or modifying function pointers in well known operating system Buffer overflow attacks are known to be the most common type of attacks that allow
structures like the system call table, FU demonstrated that is was possible to control attackers to hijack a remote system by sending a specially crafted packet to a
the execution path indirectly by modifying private kernel objects in memory. This vulnerable network application running on it. A comprehensive defense strategy
technique was coined DKOM, or Direct Kernel Object Manipulation. The difficulty in against such attacks should include (1) an attack detection component that
detecting this form of attack caused concern for anti-malware developers. This year, determines the fact that a program is compromised and prevents the attack from

50
further propagation, (2) an attack identification component that identifies attack SEES (Secure Mobile Code Execution Service), PAID (Program Semantics-Aware Intrusion
packets and generates attack signatures so that one can block such packets in the Detection), DOFS (Display-Only File Server), and CASH.
future, and (3) an attack repair component that restores the compromised
Attacking Web Services: The Next Generation of
application’s state to that before the attack and allows it to continue running
Vulnerable Apps
normally. Over the last decade, a significant amount of research has been vested in
Alex Stamos, Founding Partner, iSEC Partners, LLC
the systems that can detect buffer overflow attacks either statically at compile time
Scott Stender, Founding Partner, iSEC Partners, LLC
or dynamically at run time. However, not much effort is spent on automated attack
packet identification or attack repair. We present a unified solution to the three Web Services represent a new and unexplored set of security-sensitive technologies
problems mentioned above. We implemented this solution as a GCC compiler that have been widely deployed by large companies, governments, financial
extension called DIRA that transforms a program’s source code so that the resulting institutions, and in consumer applications. Unfortunately, the attributes that make
program can automatically detect any buffer overflow attack against it, repair the web services attractive, such as their ease of use, platform independence, use of HTTP
memory damage left by the attack, and generate the attack signature. We used DIRA and powerful functionality, also make them a great target for attack.
to compile several network applications with known vulnerabilities and tested DIRA’s In this talk, we will explain the basic technologies (such as XML, SOAP, and UDDI)
effectiveness by attacking the transformed programs with publicly available exploit upon which web services are built, and explore the innate security weaknesses in
code. The DIRA-compiled programs were always able to detect the attacks, produce each. We will then demonstrate new attacks that exist in web service infrastructures,
attack signatures, and most often repair themselves to continue normal execution. and show how classic web application attacks (SQL Injection, XSS, etc…) can be
The automatically produced signatures are context-aware as they describe all attack retooled to work with the next-generation of enterprise applications.
packets and accurate because each of the packets is described as a regular The speakers will also demonstrate some of the first publicly available tools for
expressions. To the best of our knowledge DIRA is the first system capable of finding and penetrating web service enabled systems.
producing accurate attack signatures from a single attack instance and performing Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security
post-attack repair. organization, with several years experience in security and information technology. Alex is an
Related tools: GCC, http://gcc.gnu.org experienced security engineer and consultant specializing in application security and securing
Project home page: http://www.ecsl.cs.sunysb.edu/dira large infrastructures, and has taught many classes in network and application security.

Alexey Smirnov is a PhD student in the department of Computer Science at Stony Brook Scott Stender is a founding partner of iSEC Partners, LLC, a strategic digital security
University. His is broadly interested in computer security, operating systems, and organization. Prior to iSEC, Scott worked as an application security analyst with @stake
networks. He has been working on various systems research projects in the past such as where he led and delivered on many of @stake’s highest priority clients.
Repairable Database Systems and DIRA.
Hacking Google AdWords
Dr. Tzi-cker Chiueh is a Professor in the Computer Science Department of Stony Brook
StankDawg
University, and the Chief Scientist of Rether Networks Inc. He received an NSF CAREER
award in 1995, and has published over 130 technical papers in refereed conferences and The AdWords program is an advertising system used by Google. It is a pay-per-click
journals in the areas of operating systems, networking, and computer security. He has system like may others but Google doesn’t give it the attention to design that it
developed several innovative security systems/products in the past several years, including deserves. Not only does Google take some liberties with the Terms of Service and
51
 what they allow and don’t allow in the program, but also have several flaws in the Center for Internet and Society on such issues as the digital media project, internet
logical design of the system. There are several loopholes in this system and they will filtering reports, and drafting an Internet and technology law casebook. She is also an
be explained and demonstrated with proof of concepts for every example. editor of the Harvard Journal of Law Technology, soon to be a Teaching Assistant in
Cyberlaw, and conducts research for Professor Jonathan Zittrain. Elizabeth has worked
StankDawg is a senior programmer/analyst who has worked for Fortune 500 companies
and studied in such places as Berlin, London, Paris, and Singapore, is highly interested in
and large universities. He is a staff writer for 2600 Magazine, blacklisted411, and
the impact of technology on digital culture, and is (semi-) obsessed with electronic music.
numerous websites. He has given presentations at HOPE, Interz0ne, and other local
She is spending the summer as a legal intern at the EFF, where she gets to think about
venues and has also appeared on television. He is founder of “The Digital Dawg Pound”
such issues 24/7.
(the DDP) which is a group of white-hat/gray-hat hackers who produce their own
magazine, radio shows, TV show, and numerous other projects at www.binrev.com/ Fred Benenson graduated in May with honors from New York University’s with a major in
Philosophy and a minor in Computer Science. He founded the official NYU chapter of the
The Revolution Will Not Be Copyrighted: national student organization freeculture.org. He has worked professionally as a graphic
Why You Should Care About Free Culture designer, web programmer, and IT technician and owns at least one DeCSS shirt. When
Elizabeth Stark, freeculture.org he’s not involving himself in the future of intellectual property rights (or lack thereof), he
Fred Benenson, freeculture.org likes to take pictures for his photoblog http://fasinphotoblog.com, solve the cube, and
listen to copious amounts of electronic music. He is working as a Free Culture intern this
The purpose of this paper is to explain and introduce the free culture movement and
summer at Creative Commons.
organization to the hacker community. We make the case that hackers should not
only care about the ideas of free culture in the literal sense in that we seek to protect End-to-End Voice Encryption over GSM:
technological and digital rights, but also in a broader cultural sense. The idea of using A Different Approach
and reusing bits of culture(the goal in a free culture) parallels the central tenets of the Wesley Tanner
hacker ethos where manipulation, reuse, and recontextualization are essential. To Nick Lane-Smith
that end, we’ll show some compelling examples of art and music that we consider to
Where is end-to-end voice privacy over cellular? What efforts are underway to bring
be culture hacking. From reengineered Nintendo cartridges to electronic albums
this necessity to the consumer? This discussion will distill for you the options available
consisting almost totally of samples to an early 20th century modernist Mona Lisa
today, and focus on current research directions in technologies for the near future.
hack, we’ll demonstrate that some of the most innovative and radical cultural works
Cellular encryption products today make use of either circuit switched data (CSD),
are also the most derivative. We also intend to emphasize the significance of political
or high latency packet switched networks. We will discuss the advantages and
and social action in order to maintain an environment of innovation and progress.
disadvantages of these services, focusing on details of GSM cellular channels
There are highly significant cultural and technological issues that need to be
specifically. The highlight will be our current research project: encrypted voice over
addressed in society and we cannot stand by passively while leaving the control in
the GSM voice channel. We’ll dig into how this works, and why it is useful.
the hands of the government, corporations, and other entities. In essence, free culture
This talk will touch on some fundamentals of modem design, voice codecs, GSM
is deeply ingrained in the hacker ideal.
protocol basics, cryptographic protocols for voice links, and a bunch of other
Elizabeth Stark is the main law student of freeculture.org. She went to Brown University interesting stuff. There will be demonstrations with MATLAB/Octave and C, and we
and is currently attending Harvard Law School, where she is involved with the Berkman will provide some fun code to experiment with.
52
Wes is a systems engineer at a software-defined radio company in San Diego, California. Wire. A short story collection, “More Than a Dream: Stories of Flesh and the Spirit” is
He holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute. coming soon and he is writing a novel, “The Necessity for Invention”, which includes the
adventures of Don Coyote and Pancho Sanchez, two wily hackers.
Nick is a security engineer at an innovative computer company. He holds a B.S. in
Computer Science from the University of California, Santa Barbara. He is currently
Physical Security Bypass Techniques: Exploring the Ethics
unreachable in Antigua, so I suppose I could say anything here. I won’t.
of Full Disclosure
Recapturing the Revolutionary Heart of Hacking Marc Weber Tobias, Investigative Law Offices, Security.org
Richard Thieme, ThiemeWorks Matt Fiddler

A revolutionary program for preparing the future using past models of creativity and Recent public disclosures detailing physical lock and safe bypass techniques have
ingenuity. Deeply personal and implicitly political, this talk illuminates the potentials raised consumer awareness detailing the efficacy of the hardware that protects some
and possibilities of hacking in a transparent society, a surveillance society, a society of our most important assets. This talk will address the ethics of full-disclosure, the
that neutralizes dissent. liability for failure to disclose, and the impact of public dissemination.
It defines identity hacking as a transformational process requiring all of our Demonstrations and new discoveries of lock bypass techniques will be reviewed.
resources and skills. Identity hacking is alive in an underground now that is gathering Marc Weber Tobias is an Investigative Attorney and polygraph examiner in the United
itself for a defiant refusal to be captured and managed. That revolutionary heart is States. He has written five law enforcement textbooks dealing with criminal law, security,
recaptured in the willingness to understand the mechanics of reinvention and to and communications. Marc Tobias was employed for several years by the Office of
commit ourselves to a higher code or path than the broken options offered by a Attorney General, State of South Dakota, as the Chief of the Organized Crime Unit. As
consumer society in a globalized world tilted far to the right. such, he directed felony investigations involving frauds as well as violent crimes.
Hackers in the future will have to be wily and guiltless, transparent and Matt Fiddler leads a Threat Management Team for a large Fortune 500 Company. Mr.
duplicitous, treacherous and faithful. They must know how to live in this world but Fiddler’s research into lock bypass techniques have resulted in several public disclosures of
never surrender, they must learn how to splice multiple possibilities into a single critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the
destiny in the moment of execution. That moment, fusing self-transcendence and United States Marine Corps. Since joining the commercial sector in 1992, he has spent
action, is the revolutionary heart of hacking. It is also a means of practice for a the last 13 years enhancing his extensive expertise in the area of Unix and Network
trans-planetary quest. Engineering, Security Consulting, and Intrusion Analysis.

Richard Thieme (www.thiemeworks.com) is an author and professional speaker focused

The Internet’s March of Folly: How, from ARPA to WSIS,
on the deeper implications of technology, religion, and science for twenty-first century
Internet Governance Has Consistently Pursued Policies
life. He has spoken for Def Con for ten years and Black Hat for eight as well as for other
Contrary To Its Self Interest.
venues ranging from ShmooCon, ToorCon, and AUSCERT to the Pentagon, the FBI, and
Paul Vixie
the US Department of the Treasury. His internet columns, “Islands in the Clickstream,”
are widely read and were collected and published by Syngress Publishing in June 2004. Paul Vixie has been contributing to Internet protocols and UNIX systems as a protocol
Since then he has published a dozen short stories including “The Geometry of Near,” a designer and software architect since 1980. Early in his career, he developed and
hacker tale published online by Phrack and included in the anthology CyberTales: Live introduced sends, proxynet, rtty, cron and other lesser-known tools.

53
 Today, Paul is considered the primary modern author and technical architect of BINDv8 DR. LINTON WELLS II, Assistant Secretary of Defense for
the Berkeley Internet Name Domain Version 8, the open source reference implementation Networks and Information Integration / CIO
of the Domain Name System (DNS). He formed the Internet Software Consortium (ISC) in Dr. Linton Wells, II was named Principal Deputy Assistant Secretary of Defense for
1994, and now acts as Chairman of its Board of Directors. The ISC reflects Paul’s Command, Control, Communications and Intelligence (C3I) on August 20, 1998, and
commitment to developing and maintaining production quality open source reference serves in that capacity in the C3I successor organization, Networks and Information
implementations of core Internet protocols. Vixie is currently the CTO of Metromedia Integration (NII). In addition, Dr. Wells serves as Acting Deputy Assistant Secretary of
Fiber Network Inc (MFNX.O). Defense for Spectrum, Space, Sensors, and Command, Control, and Communications
Along with Frederick Avolio, Paul co-wrote “Sendmail: Theory and Practice” (Digital (DASD (S3C3)).
Press, 1995). He has authored or co-authored several RFCs, including a Best Current Prior to this, Dr. Wells served the Office of the Under Secretary of Defense (Policy) from
Practice document on “Classless IN-ADDR.ARPA Delegation” (BCP 20). He is also July 1991 to June 1998, concluding most recently as the Deputy Under Secretary of
responsible for overseeing the operation of F.root-servers.net, one of the thirteen Internet Defense (Policy Support).
root domain name servers.
Trends in Licensing of Security Tools
Hackers and the Media- Misconceptions and Critical Tools Chuck Willis, Senior System Security Engineer
To Combat Them
Do you think that all those tools you download for security testing are free? Well, they
Patty L. Walsh/ Muckraker, Freelance Journalist Greenspun
may be free of cost for some uses, but the licenses of many tools commonly used by
Media Group
the security community are getting more restrictive and complicated. This interactive
Ever wonder what to do with the media when it seemingly (and definitely) reports discussion will look at the current state of security tool licensing and also look at
inaccuracies with regard to hackers and hacking in general? Fed up with the constant where this field may be headed. Specific examples of license restrictions in many
misconceptions you feel the media has of hackers? What is to be done? This forum commonly used tools will be presented in order to illustrate the current trends and
shall act as an interactive discussion on the misconceptions between hackers and the also help tool users in the audience navigate the bumpy road of security licensing
media, what to do in order to protect yourself, ho to handle the media and your (as issues and stay on the right side of the law. Also discussed will be possible actions for
well as the media s) constitutional and legal rights. There shall be a special surprise at tool users, tool authors, and others to make tool licensing simpler in the future.
the end for those in dire need of alleviation their stress towards? The Media.
Chuck Willis received his M.S. in Computer Science from the University of Illinois at
Patty L. Walsh has been a political junkie since she was a child. She currently attends Urbana-Champaign in 1998. After graduation, he spent five years conducting computer
UNLV as a Senior, and is majoring in Political Science with emphasis on International forensics and network intrusion investigations as a U.S. Army Counterintelligence Special
Relations; along with a minor in Communications. She has written for The Las Vegas Agent. Chuck is now conducting Penetration Testing and Vulnerability Assessments as a
Review-Journal, Las Vegas Mercury, Las Vegas Tribune, Las Vegas CityLife, The UNLV security contractor. Chuck has previously spoken at the Black Hat Briefings USA and the IT
newspaper, and currently is a freelance journalist for Greenspun Media Group. She also is Underground security conference in Europe. Chuck has contributed to several open
a Production Assistant and DJ for KUNV 91.5 FM in Las Vegas. Walsh intends to become source security software projects and is a member of the Open Web Application Security
an international correspondent, and has many qualms with the media (except for BBC Project, a CISP, and a Certified Forensic Computer Examiner. Chuck’s past presentations
and Reuters, most of the time). She has attended DefCon since DC10, where she wrote are available on his Web site at www.securityfoundry.com/
about the media misconceptions of hackers as an intern for the Las Vegas Mercury.
54
Attacking Biometric Access Control Systems
Zamboni, Researcher, Miskatonic Research Labs
This talk explores how to attack biometric authentication systems, primarily physical
TUNE IN
access control systems. Previous literature on this topic has focused on attacking a DC TV
biometric reader in the form of spoofing a biometric trait. This presentation goes a
step further and provides a general methodology for attacking on complete biometric Staying at the Alexis Park? Want to see the talks but don’t
systems. The methodology can be applied to any biometric system and outlines how want to leave your room? Tune in to DEFCON TV!
to find common weaknesses in these systems. Real world examples and case studies
Channels 22, 25, 27, 28, 29 & 30
are included. The talk concludes by illustrating possible defense strategies.
“The great Zamboni” has been in the security industry for over 6 years, most recently
working at a Fortune 500 company. His work has covered many areas including
penetration testing, assessing the security of systems and engineering computer security
systems. Recently his job has focused on integrating physical and logical security systems.
Outside of work Zamboni is a founding member of Miskatonic Research Labs, a non-
IMAGE BY ASTROFY
profit security research group located in Northeastern Ohio. Some of his many interests
include penetration testing techniques, wireless security, lock picking and the
convergence of physical and computer security. He is also a core member of the Notacon DC RADIO
planning committee.
DefCon Radio is in it’s 5th year this 2005.
The Unveiling of My Next Big Project
For the last 4 years we have been working toward making the
Philip R. Zimmermann, Creator, Pretty Good Privacy
con more enjoyable through a DJ & Listener controlled radio
Philip R. Zimmermann is the creator of Pretty Good Privacy. For that, he was the target of station. This year will be the third year with that system.
a three-year criminal investigation, because the government held that US export
restrictions for cryptographic software were violated when PGP spread all around the
The system broadcasts Vorbis OGG files through a custom ices
world following its 1991 publication as freeware. Despite the lack of funding, the lack of & mysql combination to provide a somewhat scheduled but
any paid staff, the lack of a company to stand behind it, and despite government live interactive radio station.
persecution, PGP nonetheless became the most widely used email encryption software in
When at the con: listen on 93.7fm @ the Alexis Park...
the world.
Updates on speakers and events every half an hour Interviews
and news starting every hour
http://defcon.dmzs.com for updated information

55
 BLACK & WHITE BALL S AT U R D AY • J U LY 3 1
2100 - 0400 • APOLLO

DJ STYLE

wintamute/pmt munich Electronic

DJ Casey psytrance

Catharsis (EGR Records) Hard Techno / Industrial

Miss DJ Jackalope Dirty Drum and Bass

Regenerator EBM

Shatter Industrial

Krisz Klink Psytrance

Come in Style: Rubber, Leather, Vinyl, Fetish Glam,

Kinky, Drag, Cyber Erotic, Uniforms, Victorian, Tuxedo, Costumes...
absolutely No Jeans or Street Clothes! No exceptions!!!

O R G A N I Z E D B Y B I N K . . . B U Y T H E M A N A B E E R
56
 D AY 1 TRACK ONE TRACK TWO TRACK THREE
F R I D AY PA R T H E N O N TENT APOLLO
J U LY 2 9

10:00 - 10:50 Recapturing the Revolutionary The Unveiling of My Next Big Hacking Nmap
Heart of Hacking Project Fyodor
Richard Thieme Philip R. Zimmermann

11:00 - 11:50 Mudge End-to-End Voice Encryption On the Current State of Remote
over GSM Active OS Fingerprinting
Wesley Tanner & Nick Lane-Smith Ofir Arkin

12:00 - 12:50 The Internet’s March of Folly Routing in the Dark: Introducing Unicornscan
Paul Vixie Ian Clarke & Oskar Sandberg Robert E. Lee & Jack C. Louis

13:00 - 13:50 Suicidal Linux Lost in Translation ATM Network Vulnerabilities

Bruce Potter Christian Grothoff Robert Morris

14:00 - 14:20 CISO Q&A w/Dark Tangent Auto-adapting Stealth Credit Cards
Panel Communication Channels Robert “hackajar” Imhoff-Dousharm
Daniel Burroughs

14:30 - 14:50 The Next Generation of

Cryptanalytic Hardware
David Hulton

15:00 - 15:20 No Women Allowed? The NMRC Warez 2005 Hacking Google AdWords
Thomas J. Holt Extravaganza StankDawg
Simple Nomad & the NMRC Collective

15:30 - 15:50 Social Engineering Do’s & Don’ts

Beth Louis (Phen)

16:00 - 16:20 The Six Year Old Hacker Shmoo-Fu: Hacker Goo, Goofs, Passive Host Auditing
Kevin McCarthy and Gear with the Shmoo jives
Bruce Potter, Beetle, CowboyM, Dan
Moniz, Rodney Thayer, 3ricj, Pablos
16:30 - 16:50 Development of An Undergrad Bypassing Authenticated Wireless
Security Program Networks
Daniel Burroughs Pierce, Edwards & Lineberry

17:00 - 17:20 Whiz Kids or Juvenile Delinquents Mosquito

Amanda Dean Wes Brown & Scott Dunlop

17:30 - 17:50 The Power to Map

Kristofer Erickson

18:00 - 18:50 Hackers and the Media DC Groups Panel Hacking Windows CE
Patty L. Walsh San

19:00 - 19:50 Causing the Law Death of a Thousand cuts Your Defense is Offensive
Mark Pauline Johnny Long hellNbak

20:00 - 20:50 Assymetric Digital Warfare Hacking in a Foreign Language

Roberto Preatoni & Fabio Ghioni Kenneth Geers

21:00 - 22:50 The Internet’s March of Folly Black Ops 2005 TCP/IP Drinking Game
Paul Vixie Dan Kaminsky hosted by Mudge
57
 MOVIE CHANNEL B R O U G H T T O
Y O U B Y D C 8 0 1

T H U R S D AY F R I D AY S AT U R D AY S U N D AY

00:00 Primer No Maps for These Territories 23

03:00 Brazil The Day the Earth Stood Still THX 1138

06:00 Pi Blade Runner The Fifth Element

09:00 Run Lola Run Office Space Enemy of the State

12:00 New Rose Hotel Takedown Fear and Loathing in Las Vegas

15:00 Oceans 11 Minority Report I, Robot Real Genius

18:00 Equilibrium Ghost in the Shell Ghost in the Shell 2 Pump Up the Volume

21:00 Wargames Sneakers Johnny Mnemonic Hackers

ARTWORK BY NEØNRA1N

HTTP://WWW.LIVEJOURNAL.COM/USERS/EVILBUNNYWRENCH/
58
 D AY 2 TRACK ONE TRACK TWO TRACK THREE
S AT U R D AY PA R T H E N O N TENT APOLLO
J U LY 3 0

10:00 - 10:50 Physical Security Bypass The Hacker’s Guide to Search Bacon
Techniques and Arrest Hernan Gips
Mark Weber Tobias & Matt Fiddler Steve Dunker

11:00 - 12:50 Introduction to Lockpicking and Ask EFF Attacking Web Services
Physical Security Newitz, Seltzer, Bankston, Opsahl, Alex Stamos & Scott Stender
Deviant Ollam Schoen

13:00 - 13:50 Intro to High Security Locks Meet the Fed Automation - Deus ex Machina
and Safes Jim Christy & Various other Feds or Rube Goldberg Machine?
Michael Glasser & Deviant Ollam Sensepost

14:00 - 14:50 A Safecracking Double Feature The Information Security Industry

Leonard Gallion David Cowan

15:00 - 15:50 Attacking Biometric Access Dr. Linton Wells Pen-testing the Backbone
Control Systems Assistant Secretary of Defense Raven
Zamboni for Networks and Information
Integration

16:00 - 16:50 Old Skewl Hacking - InfraRed Legal and Ethical Aspects of Trust Transience: Post Intrusion
Major Malfunction WarDriving SSH Hijacking
Shuchman, Thornton, Hale II Metalstorm

17:00 - 17:50 Building WarDriving Hardware Trends in Licensing of Security Countering Denial of Information
Workshop Tools Attacks
Matthew L. Shuchman “Pilgrim” Chuck Willis Greg Conti

18:00 - 18:50 Sketchtools Licensing Agreements 101 The Dark Side of Winsock
Matt Cottam Jim “FalconRed” Rennie Jonathan Levin

19:00 - 19:50 Be Your Own Telephone The Revolution Will Not Be Google Hacking for Penetration
Company...With Asterisk Copyrighted Testers
Strom Carlson & Black Ratchet Elizabeth Stark & Fred Benenson Johhny Long

20:00 - 20:50 Top Ten Legal Issues in A New Hybrid Approach for
Computer Security Infrastructure Discovery,
Jennifer Granick Monitoring and Control
Ofir Arkin

21:00 Movie Night until 100 Hacker Jeopardy Black & White Ball until 0400
Hosted by the Dark Tangent
59
 PRED
The Las EFCO
N SU
NOTEWORTHY What is
Vegas, N
V DefCo
n group
pre-DefC
, dc702, is
MMIT

p
it? TheS
ummit is on Summ roud to announ
of passio a fund ra it! ce the
nate peo is er fo
EFCON ple - law r the EFF,
ANNUAL D visionari
es - work yers, technolog a nonpro
THE FIFTH ADES is fit group
BAND O F R E N E G ALL TICK ing to protect yo ts, volunteers, a
ET SALE ur digita nd
SKYDIVE S GO DIR
ECTLY TO
l rights.
EFF
fCon Skydive
very unofficial De
D E TA
The fifth annual
WHE SIL
R E : Ic
n 13 . WHE e House
DefCo N: - Las Veg
is scheduled for HOW
Thursda
y July 28 as, NV RUMORZZZ
MUC
H : Tick , 2005, 2
.COM/ ets $30 1:00 - 0 converge
W.DCJUMP 0:00
HTTP://WW pre-sale
All Ages
Event!
$40 @ d
oor The Turd in the Punchbowl
W W W.
Join Date: Oct 2001
north
DC702
SUMM
I T. O R G Location: slightly south of
Posts: 1,691
10 THINGS D the
EFCON HAS
DONE FOR M Rumor has it, DT has taken
E onally
10. Made me hate
SUBMITTED
BY NIHIL gunnery seat and will be pers
Vegas g or den ying ever y pack et that
9. Introduced me acceptin
to a bunch of great rg until the 1st of
8. Given me someth people touches defcon.o
ing I can say I have August. Be warned.
for a decade done consistently
7. Taught me that
drinking non-stop for
6. Create the excuse 18 hours is a learne
needed to see those d skill
5. Made me love great friends once a
Vegas year
4. Paved the way SLOGAN CONTEST WINNERS
to my current job (wo
3. Provided infamy rkin g for Black Hat)
by having my ex-girl 1. Defcon: Putting the 13 in 31337 - panic
become Vinyl Vanna friend (aka Bad Kitty)
2. These aren\'t the geeks you\'re looking for. - Jack
2. Proven I never,
ever want to share 3. def•con (dehf-cahn) n. 1.A tactical diversion by
cDc again a room with one of
the hackers to distract a large group of feds for a
1. Got me fired fro
m Microsoft! weekend. - Adrenaline

60
 D AY 3 TRACK ONE TRACK TWO TRACK THREE
S U N D AY PA R T H E N O N TENT APOLLO
J U LY 3 1
11:00 - 11:50 DIRA Meme Mining for Fun and Profit Forensic Data Acquisition Tools
Alexey Smirnov & Tzi-cker Chiueh Broward Horne RS

12:00 - 12:50 Introducing the Bastille Hacking the Mind (Influence Visual Security Event Analysis
Hardening Assessment Tool and NLP) Raffael Marty
Jay Beale Mystic

13:00 - 13:50 The Insecure Workstation II `bob Doing Not-For-Profit Tech Surgical Recovery from Kernel-
reloaded` Krembs, Farr, Tan, Cunningham, Level Rootkit Installations
Deral Heiland Granick, Schuyler, Wright & William Julian Grizzard
Knowles & other select members of
the Foundation Board.

14:00 - 14:50 A Linguistic Platform for Threat Analysis of Identity Creation GeoIP Blocking
Development Detection Schemes post- 9/11 Tony Howlett
Ben Kurtz Cerebus

15:00 - 15:50 “Shadow Walker “ — Raising Why Tech Documentaries are Steve Dugan
The Bar For Rootkit Detection Impossible (And why we have to
Sherri Sparks & Jamie Butler do them anyway.)
Jason Scott

16:00 - 16:50 Awards Ceremonies

Hosted by the Dark Tangent

AFTER THE CON

Missed the last 12 DEFCONs? No phear! professionals and security enthusiasts. After years of unsuccessfully attempting
Revisit the past and relive the content Technical projects, technical to gather the thousands of pictures taken
with streaming audio and video. There presentations, DEFCON contests, and at DEFCON the fine folks at
are well over 750 live realmedia links. We other events are planned and executed DefconPics.org stepped up to the plate. In
expect you to be fully caught up before by DC Groups. 2001 they took on the challenge of
DC 14. To meet your privacy needs the keeping track of every photo gallery in
http://www.defcon.org/html/defcon-
main DEFCON website, which contains the universe that contains DEFCON
groups/dc-groups-index.html
powerpoints and tools from previous related pics. Be advised, it is very likely
talks, is now available via https. Even if you live in an isolated tundra, you that many of the pictures are *not* safe
can still participate in the DEFCON for work.
http://www.defcon.org/html/links/def
community long after the memories of
con-media-archives.html or http://defconpics.org/
the searing Vegas sun are gone. The
https://defcon.org/html/links/defcon-
DEFCON forums discuss technology,
media-archives.html
contests, events, as well as local DEFCON
Keep in touch with your local scene! Groups meetings. A word to the wise—
There are DEFCON Groups all around the read the rules before posting.
world, if there isn’t one in your neck of http://forum.defcon.org/ or
the woods, learn how to start one. Like https://forum.defcon.org.
DEFCON the groups are a mix of security
 DUNK
defcon 13 vendors Blacklisted 411
Breakpoint Books
CultureJunkie
Electronic Frontier Foundation THE
GEEK!
Irvine Underground
Ninja Gear
Overdose
Rainbow F R I D AY & S AT U R D AY
1200 - 2200
Rootcompromise POOL 2 GAZEBO

Shadowvex All proceeds to support the EFF.

Sinkers to include: William Knowles (C4I.org), Salem, Octalpus, Noid, D-Ren DJ Jackalope, Siviak,
Sound of Knowledge Grifter, Patrick Norton, HighWizard, Dead Addict, Jason Scott, Wendy Seltzer, Pryo, The Dark Tangent

Tim Huyn
Image courtesy of Rootcompromise.
tommEE Pickles
UNIX Surplus Looking for DEFCON Swag?
Visit the Jinx booth in the
University of Advancing Technology
Vendor Area and find T-shirts, shot glasses, mugs,
WarDriving World bags, zippo lighters, hoodies, baseball hats,
J!NX: Find official DC beanies, jackets, long sleeve shirts, camp shirts,
Clothing & Merchandise at laptop sleeves and more.
JINX Hackwear. All official DEFCON merchandise have the
DEFCON logo on them.
Vendors are located in Zeus. Vendor area is open from 1000 - 2000
62
 PARTHENON 5

EXECUTIVE
BOARDROOM PARTHENON 1 PARTHENON
(LEVEL 2) 3&4
BOARD
ROOM
D Capture the Flag Speaking Area -
POOL 1 Track 1
BOARD
ROOM
C
PARTHENON 2
BOARD

PARTHENON FOYER
ROOM Chill Out
B DJ Action
BOARD
ROOM
A

ALEXIS GARDENS
ZEUS

BAR & GRILL RESTAURANT

Vendors

HOTEL LOBBY Info Booth

ATHENA
Contest Room
Info Booth
APOLLO
FOYER
Registration APOLLO
TENT 1
Parking Lot Speaking Area - Track 3
Speaking Area - Track 2
Hacker Jeopardy Black & White Ball

G E T T I N G A R O U N D
Black & White Ball: Apollo Movie Night: Parthenon 3 & 4
Capture the Flag: Parthenon 1 TCP/IP Drinking: Parthenon 3 & 4
Contest Area: Athena Vendors: Zeus
Dunk Tank: By Pool 2, Speaking Track 1: Parthenon 3 & 4
in front of the Gazebo Speaking Track 2: Tent
Info Booth: Athena Speaking Track 3: Apollo
Hacker Jeopardy: Tent
Lost your way? Go to the DC Info Booth located in the Athena.
63
 THANKS TO THOSE WHO MADE DEFCON THIRTEEN POSSIBLE.
I want to personally thank everyone that has some together to make this con happen.
Because DEF CON is not a commercial enterprise in the sense that we can’t afford to pay everyone who helps
(If we charged $250 a person, then it might be possible), it is in the hands of dedicated volunteers who make things happen.
This page is for them.
The Speakers, in Alpha Order: Ofir Arkin, Jay Beale, Wes Brown & Scott Dunlop, Daniel Burroughs, Strom Carlson & Black Ratchet, Cerebus, Ian Clarke & Oskar
Sandberg, Greg Conti, Matt Cottam, David Cowan, Scott Blake & Pamela Fusco & Ken Pfiel & Justin Somaini & Andre Gold & David Mortman, Amanda Dean,
Deviant Ollam, Steve Dunker Esq, Kristofer Erickson, Fyodor, Leonard Gallion, Kenneth Geers, Hernan Gips, Michael Glasser & Deviant Ollam, Paul Graham, Jennifer
Granick, Julian Grizzard, Christian Grothoff, Deral Heiland, hellNbak, Thomas Jolt, Broward Horne, Tony Howlett, David Hulton, Robert “hackajar” Imhoff-
Dousharm, Dan “Effugas” Kaminsky, jives, Jesse Krembs & Nick Farr & Emerson Tan & Frazier Cunningham & Jennifer Granick & James Schuyler & Christian Wright
& William Knowles, Ben Kurtz, Robert E. Lee & Jack C. Louis, Jonathan Levin, Johnny Long, Beth “Phen” Louis, Kevin McCarthy, Major Malfunction, Raffael Marty,
Jim Christy & various MIB, Metalstorm, Robert Morris Sr., Mystic, Annalee Newitz & Wendy Seltzer & Kevin Bankston & Kurt Opsahl & Seth Schoen, Mark Pauline,
Dean Pierce & Brandon Edwards & Anthony Lineberry, Bruce Potter & Beetle & CowboyM & Dan Moniz & Rodney Thayer & 3ricj & Pablos, Roberto Preatoni
(Sys64738) & Fabio Ghioni, Raven, Jim „FalconRed‰ Rennie, San, Jason Scott, Roelof Temmingh & Haroon Meer & Charl van der Walt, RS, Matthew „Pilgrim‰
Shuchman & Frank Thornton & Robert V. Hale II, Simple Nomad & HellNBak & erita & Weasel & jrandom & MadHat, Sherri Sparks & Jamie Butler, Alexey Smirnov &
Tzi-cker Chiueh, Alex Stamos & Scott Stender, StankDawg, Elizabeth Stark & Fred Benenson, Richard Thieme, Mark Weber Tobias & Matt Fiddler, Patty “Muckraker”
Walsh, Wesley Tanner & Nick Lane-Smith, Paul Vixie, Chuck Willis, Zamboni, Philip R. Zimmermann.
The Staff: Black Beetle, Zac, Dead Addict, Lockheed, Major Malfunction, Noid, Russ, Roamer, Techno Weenie, Priest, Cat, Q, Charel, Gonzo, Agent X, Nico, Heather,
Videoman, Bink, Pyro, ETA, The Proctor, Zziks, Nulltone, Pappy, Cal, Wiseacre, Greg, OctalPussy, Noise, Quagmire Joe, Squeak, Flea, MikeyP, Cyber, Captain Jim,
Rahael, Ben, KK, Nihl, D.Fi, SkrooU, Queeg, Quiet, Grifter, AlxR, Ted, Tyler, Sarge, CRC, Froggy, Connor, Cyber Junkie, Nobody, Teklork, B-Side, JDoll, Che, Freshm,
TriggerJenn, Rescue, Dedhed, Kruger, CloneLoader, AJames, GodMinusOne, Justabill, Chosen 1, Pescador, Kevin E, Derek, Amish, Code 24, Riverside, Sn8keByte,
FoTM, CYMike, Spahkle, Montell, Arclight, Kampf, Psylon, NFarr, Humperdink, CHS, Magic Tao, Koz, Xinc, Carric, Stephen Rossi, Dirk Sell, Jen M
The DJs: wintamute & pmt munich, DJ Casey, Catharsis, Ms. DJ Jackalope, Regenerator, Shatter, Krisz Klink.
Contest Organizers: CTF: the anonymous team behind kenshoto. Coffee Wars: Shrdlu, Alice, Madhat, Foofus. Hacker Jeopardy: Winn Schwartau & Nulltone.
Lockpicking contest: KaiGoth, Freaky and Varjeal. Robot Warez: kallahar, jayandrews. Scavanger Hunt: tierra. Cannonball Run: tommEE. WarDriving Contest: Roamer,
TheWad, Wiseacre, AlxRogan, Medic, Thorn, Syn-Ack. Slogan Contest: Roamer, Russ. Wifi Shootout: Dave Moore, Stefan Morris, Derek Hubbard, Steven Stovall.TCP/IP
Device Contest: t0zi3, DC480. Toxic BBQ: converge, highwizard, l0nd0. Defcon Pics: tpublic. DC Movie Channel: DC801. QueerCon: HighWizard, euro12.
Those who will be remembered: Branden “Ghent” Hancock and Josh “PacBell” Cohen.