Judge Halts Def Con Talk

There's nothing incestuous about the drama unfolding at Def Con. Reporters in Vegas for the Black Hat and Def Con events are getting two for the price of one this year.

The Black Hat story was arguably a tempest in a teapot with journalist-on-journalist spying. What unfolded at Def Con today is the real thing. A judge in Massachussets barred students from the prestigious Massachussets Institute of Technology from presenting on a hack of RFID-based transportation tags that are used in Boston to pay for the local subway system known as the "T."

The undergraduate students had been scheduled to give a presentation Sunday afternoon in which they planned to describe "several attacks to completely break the CharlieCard," according to a CNET News.com report. The students also planned to release card-hacking software they had created, but canceled both the presentation and the release of the software.

Hacks of RFID systems used for public transit have become popular, possibly more popular than the passport hacks of the past years. In Europe the payment tags used in systems across the continent have come under heavy scrutiny from security experts. In my home country of The Netherlands, for example, the OV Chipkaart is said to have been compromised.

What all of this shows is that, once again, organisations are rushing to implement new technologies--RFID in this case--without fully considering the security impacts ahead of time. It is critical, now more than ever, to do a solid security review before commercializing any type of technology. I am sure that many of the "hackers" at Def Con and Black Hat could be hired for such services.

08-08-08

Today's supposed to be a lucky day that brings a lot of good fortune. If you believe in Chinese numerology it should especially bring fortune. So, a lot of couples are getting married today. I am in Las Vegas for Black Hat and Def Con and am literally tripping over newlyweds. In every major hotel I have seen the traditional white dress and guys in tuxedos. All 08-08-08 couples and none that I have seen are Chinese.

Tonight at dinner I also ran into a bachelorette party. The girls, about 8 of them, had all kinds of odd assignments. They had to get a guy to sign his name on one of their chests, they had to call a guy's girlfriend, they had to kiss a guy on his cheeck, they had to French kiss a guy, flash a guy and have a guy motorboat one of them. Of course these would all be complete strangers to them. Sadly Declan and I didn't get any of the real fun tasks ;-) However, we did get to watch one girl do the scene from "When Harry met Sally" and fake an orgasm in a restaurant. That was amusing.

Now, I am not so sure it is a lucky day today. I lost $60 playing Black Jack. What's up with that?

No Black Hat Without Drama

It seems the annual Black Hat and Def Con security conferences in Las Vegas just aren't complete without some kind of drama that reporters can sink their teeth into. However, the drama that plays out keep getting closer and closer to home for the journalist crowd.

Last year a TV reporter was expelled from Def Con for not being appropriately accredited and asking questions without identifying herself as press. The collective media jumped on the story of how their peer was cheating the Def Con rules and operating under cover in an attempt to do a story on hackers.

This year it was the reporters themselves who got hacked, by other reporters. According to the buzz around the Black Hat press room the sanctity of the local area network set up specifically for media was breached by a couple of French journalists who sniffed the network and were able to capture the apparent user credentials for reporters from eWeek and CNET.

"I feel personally violated," one of the reporters in question said later on Thursday night. This was after this year's Black Hat drama had unfolded to the extend of a press conference with lawyers from EFF and the ejection of the French journalists from the event two hours before it was to end.

I've attended many Black Hat and Def Con events over the years and have always distrusted the networks at the events. BYOI or BYOC is my philosophy (Bring Your Own Internet -- Bring Your Own Connectivity.)

I do feel for my former colleagues though. I've been hacked in the past and I am sure it will happen again and it isn't much fun when your data either disappears or gets put out in the open. The somewhat incestuous nature of the Black Hat dramas over the past two years is kind of odd though. What happened to the good old days of Michael Lynn and Cisco-gate?