August 12, 2014, 1:06 PM —
Image credit: REUTERS/Steve Marcus
But for the ever-growing crowds, a returning visitor to the DEFCON hacking conference in Las Vegas might not notice much change from previous years. Leather, piercings and body art are still much in evidence. House music still pounds from darkened hotel ballrooms where groups of men (they're almost all men) slump over their laptops, typing commands at a furious pace.
Behind the scenes, however, DEFCON's organizers say that the show is fast moving beyond its longtime preoccupation with hacking for "lulz" (laughs) and conspicuously picking up the mantle of "reform" by highlighting computer security problems that can also damage life and limb.
The shift is subtle. After all, DEFCON and its younger sibling, Black Hat, have long been platforms for blowing the whistle on the failings and foibles of large, wealthy technology firms and their products.
But for those who advocated for a change of focus the shift is substantial and – they would argue – long overdue. "I think that, deep down, we're realizing that our hobby is taking on a higher consequence," said Joshua Corman, the Chief Technology Officer at Sonatype and one of the founders of iamthecavalry.org, a volunteer organization that calls attention to issues in which computer security intersects public safety and human life.
Demonstrations in recent years by researchers like Jay Radcliffe, Charlie Miller and Chris Valasek as well as the late Barnaby Jack have demonstrated how everyday objects, from automobiles to ATMs to insulin pumps are vulnerable to software-based attacks carried out over wireless networks or the Internet.
The visuals from a dollar-spewing ATM, to cars veering and crashing -made an impact. "You can see the steering column jerked out of the driver's hands and the brakes failing," said Corman of Valasek and Miller's demonstration. "The effect was palpable and visceral. It's like 'things just got real.'" Cyber security is "bigger than a day job," says Corman. "It's our lives."
Corman said that the difference between this year's show and prior attempts to have DEFCON make a positive impact is timing. "The public wasn't ready and now it is," he said. "We're at a tipping point."
To put some momentum behind that, Corman and iamthecavalry co-founder Nick Percoco of the firm Rapid7 used this year's event to issue an open letter to the CEOs of major automakers that called for improved software security in automobiles.
Jeff Moss (aka "Dark Tangent"), the father of both DEFCON and Black Hat
With evolving platforms like connected vehicles, the danger isn't a matter of conjecture, says Nick Percoco of Rapid7. "We already have risk and dependence in the field," he said in a press conference on Friday. That includes cars that are using outdated network stacks that contain known and exploitable software vulnerabilities.
Iamthecavalry proposed a five-point program to get carmakers to address software security – akin to the current "five star" crash rating system. Among the improvements they're calling for are cross-industry standards for software security, better testing of third party software and "adversarial testing" of the software that powers modern, connected vehicles.
And the group isn't limiting its work to connected vehicles, either. Medical devices, home electronics and personal technology are also on the list.
Corman and crew weren't the only group of unabashed do-gooders at this year's DEFCON. Researchers Mark Stanislav and Zach Lanier of DUO Security spoke on Saturday morning about their non-profit BuildItSecure.ly, which is tackling the same problem as iamthecavalry but from the grass roots: the countless small, crowd funded projects launched via platforms like KickStarter and IndieGoGo.
Lanier and Stanislav say that "known bad behavior" around application development is rampant in such environments, which are constrained by small budgets and the pressure of meeting (self imposed) deadlines. The result: lots of weak and exploitable software and a heavy dependence on ready-made hardware and software platforms like Contiki, Wunderbar and others that can speed product development, but may expose product's unknown and exploitable holes later on.
Other projects on display at DEFCON include The Open Crypto Audit Project, a crowd-sourced, global effort to audit the TrueCrypt encryption – just one grassroots driven response to the disruption caused by the Heartbleed security hole in OpenSSL.
Jeff Moss (aka "Dark Tangent"), the father of both DEFCON and Black Hat, acknowledged the new focus on health and safety. But Moss said that the effort is in keeping with what he sees as the essential optimism of DEFCON. "We've always tried to have the perspective of 'if you tell people the world sucks then you have to give them hope by telling them how to fix it.'" He said that show organizers may not have explicitly called out the ideal of 'good works' in prior years – but that didn't mean it wasn't there.
Besides, Moss said, most hackers are motivated by a sense of altruism. "People get into this because they want to make the world a better place. They're breaking stuff in order to fix it." Still, he also agreed that the events of recent years had created a 'tipping point' in the information security community.
"You've had Wikileaks and Snowden, NSA spying on Congressional staffers," he said. Moss said the sense of unease has penetrated deep into the social fabric. "My mother is asking me if her text messages can get intercepted," he said.
"We've gotten to the point that nobody can be trusted, and its causing people to become schizoid," Moss said. "If we're not careful, people will begin to feel defenseless and helpless."
Moss said he sees lots of reasons for optimism, however. Companies like Google and Microsoft now see it as in their corporate interest to help improve the quality and security of shared- and open source software. "Some of these problems have always existed, but it has become good public relations and marketing to spend money to fix them," Moss said.
Forums at DEFCON like the lock picking villages and, more recently, the ICS village for experimenting with industrial control technology are a sign of the breadth and vibrancy of the hacking community. "It used to be the phone hackers and the Unix hackers," said Moss. "And now it's everything. But one of the strengths of (DEFCON) is that it happened on its own. DEFCON is just a platform. We give you a stage and you need to succeed or fail on your own.