In April of this year, InfoSec launched a new team called Customer Compliance. Several senior InfoSec employees joined its ranks, and I was hired into the team. My name is Meg Grady-Troia, and I'm a member of Akamai's Customer Compliance team because I am an anthropologist, an educator, and a writer. My job is finding creative and effective ways to begin sharing Akamai's security posture and platform with our customers, and to answer the questions that our sales team is constantly fielding as they do their great work. That means that I am learning InfoSec and Akamai culture as fast as I can, only ever a step or two ahead of the questions I'm answering. It's great fun, and also a great challenge.
Here at Akamai, we call the on-boarding process "drinking from the firehose." With the blessing of the InfoSec department, I'll be sharing some of that firehose process with you, starting with excerpts from my blog about my experiences at one of the country's biggest hacker and security conventions, DefCON. The Lion Sleeps Tonight: Preparing for DefCON
As I began preparations for my trip to DefCON, co-workers and peers gave me all manner of advice. As with all advice, some of it was contradictory, some of it was impossible, and some of it was indispensible. The advice about where to eat (taco stand reviews forthcoming, hopefully), what the Strip's environment is like (over-oxygenated air, brutal sun, great pools), and who I should try to meet (everyone!) was easily assimilated, but as the feedback about safety and security rolled in, it was hard not to panic.
Some of the things I was told were:
- all traffic in Las Vegas is monitored, no network (even with VPN or Tor) is secure;
- all data traffic on mobile devices is insecure & 4G is easy to sniff;
- all power outlets might be transmitting more than power or tampered with to damage equipment;
- all public places may be scanned for RFID tags, compromising my identity or finances;
- not to identify my employer or my job;
- not to travel alone;
- not to accept drinks from anyone;
- not to bring electronics that had any controlled or secret data; and
- most hotel rooms are bugged.
Most of these things could be true most of the time, in fact: I understand that "safety" is an absolute rather than an actual possibility. I take risks every day; the more complex and valuable the actions I am taking are, the higher the risks are, too. Even so, one co-worker likened DefCON as "walking into the lion's den." Lions are dangerous, but in predictable ways. And, he added graciously, "only lions walk into lion's dens most of the time."
My boss gave me the best advice, though, and it is advice that is relevant to all Security professionals and amateurs: decide what your risk tolerance is, know what your powers of protection are, understand what vulnerabilities are inevitable, calm down.
His advice was to find my own tolerance for risk and my own security posture, rather than to blindly follow the precautions that my peers find valuable. But it was also like the serenity prayer for Security: "SuperUser grant me the powers to protect the resources that I can, the serenity to accept the risks I cannot mitigate, and the wisdom to know the difference."
As I worked to assemble the supplies I knew I wanted -- a burner laptop so that I could use the Akamai VPN and not risk exposing the compliance data that lives on my usual work machine, an RFID-blocking wallet to hold my credit cards and ID, a battery charger for my cellphone for long days at the Con, extra sunscreen for my pale, freckle-prone skin -- I worked to build a working model of what I wanted to take away from DefCON and why I was attending.
It turned out to be pretty easy: I want to know if I'm a lion, too. The opportunity to walk into rooms full of brilliant people who care deeply about testing the limits of our social contracts and agreements, who live on the Internet where the normal boundaries and borders of our geo-political world are blurred, and who are more deeply committed to the cycle of build-and-break than many people in this world is a great one.
It's not clear to me yet if I will be a lion, a lion-tamer, or just a sheep in lion's clothes, but I know am excited. I may not have prepared as well as some of my peers did, but I have a marked up schedule, a gorgeous badge of my own, and I am ready to learn.DefCON Day 1: The Lay of the Land
Between talks, the hallways of the convention center fill with slow-moving streams of people walking between rooms. The hallways aren't ever empty, though, even when the scheduled Con events are long over for the day. At 3am, there are still parties, contests, and social events happening all over the conference center, not to mention the flocks of people at every bar nearby.
The rooms of the convention center come in a few main flavors:
- The "Tracks:" where talks take place on every subject from new 0days in routers to the ethics of working for the Feds;
- The "Villages:" where people practice skills and offer demos in social engineering, lockpicking, electronics tampering, and more;
- The "Contests:" where folks play Capture the Flag, and myriad other games, including Hacker Jeopardy; and
- The "Lounges:" where DJs play, art installations blink and move, and folks congregate with coffee or beer.
I am over-simplifying this slightly for the sake of clarity, as there are at least as many places where those distinctions are blurred, if not lost.
There is no shortage of folks who seem to spend all their time in just one of those places: hanging out in the chill out café, the lockpick village, or the vendor room. Neither is there a shortage of people who never make it into any of the rooms because they find strangers and friends in the hallways and stop to talk or hack together. Folks tend to refer to this practice of targeted socializing as HallwayCon or LobbyCon.
With over 13,000 attendees, the Con has its own fleet of volunteers and organizers who check badges, enforce physical security, help speakers manage time and equipment, sell merchandise, and answer a million odd questions. All these folks are called the "Goons," and they wear shirts that identify them to the crowd. Despite the strong currents of anti-establishment and independence in the attendees that I met, I saw nothing but smiles and respect for the Goons, their work appeared to be as much about social cohesion as enforcement. One of the traditions that amused me most was that every new speaker was interrupted by Goons with a bottle of bourbon and toasted by the Goons before being allowed to complete their talk.
DefCON isn't one single community, though, and I met people whose affiliations varied wildly. Attendees are breakers, builders, government employees, and Fed-haters, just to cite some of the most-discussed differences. Diversity in other directions was more limited, though, and I saw many more white people than people of color. I saw more women, more kids, and more binary-breakers than I had been led to expect, though, which was a treat. Despite a million jokes about the "uniform" of the Con being jeans and a black t-shirt, there were plenty of creative costumes and innumerable blinky LED and EL wire accessories.
One of the most interesting accessories of the DefCON attendees are the intricate badges. Wired posted an article when this year's were revealed, which you can read here
. The badges are part of a suite of branding materials that come complete with puzzles to solve and a contest to win for the final decryption. This year, the badges are heavy plastic designed to look like playing cards with the traditional suits replaced by 4 hacker media: phone (phreaking and communication), key (cryptology and building), disk (code and data), and jolly roger (piracy and breaking). The badges also had numerical codes, circuit diagrams, kanji, and other forms of communication on them. The branding carried through to the programs, art on the walls and floors, and installations in many of the conference rooms and lounges.
DefCON happens outside of the conference spaces, too, at parties sponsored by various groups, ranging from hacker consortiums to big companies. The parties happen all over Las Vegas, taking over fancy suites, restaurants, pools, bars, and more. Getting into parties is as much as contest as any of the official ones: party entrance schemes involved solving riddles to find parties, being given small trinkets that granted access to parties, social engineering your name on to secret lists, or being physically being tagged by folks with stamps, markers, or cans of colored hairspray. Lest that sound too much like some hyperbolic movie representation, let me also tell you that the CON is also full of recruiters, full of folks disillusioned with the revelations of the last few years (wikileaks, Snowden, PRISM, etc.) looking for folks who might be able to save them, and more than a few folks who are there to sell something.
In other words, whatever it may have been in the past, DefCON, at 21 years of age, is old enough and big enough to be many different kinds of events at once, and the selection I saw has more to do with the people I met through my co-workers, the talks I attended, the shuttles I rode between hotels, and the contests in which I participated than with the nature of the event. As one colleague told me "DefCON is what you make of it."
Meg Grady-Troia is a program manager with the InfoSec team at Akamai