Monday, August 07, 2006

Post Defcon

The speakers were good with few exceptions, but I don't want to bore anyone with the details...

The capture the flag room projected the score board, a movie, and random videos; here are a few favorites of the random videos...

Insane rejected commercials


Crazy German on safe secks


Voltron "battles" the bad guy


And the insane scratching below...
Also included music videos from Aphix Twin, Bjork, Daft Punk, and many others. All were quality.

While at the Con you are to retain a beneficial fear of all things electronic. All forms of internet access, ATMs, kiosks, phones, nose-hair trimmers, etc. This means that if you wish to obtain cash, you are strongly encouraged to do so elsewhere. Any internet activity involving any form of password should be conducted over an encrypted tunnel to somewhere safe.
In the chill out area, they have what they call The Wall of Sheep Which is a server which passively collects wireless internet traffic, and picks out all the usernames and passwords transmitted. People's logins for their banking websites, myspace accounts, webmail, etc. are all picked up and displayed on a projector for all to see (though passwords only showed the first three characters). The people running the wall were actively monitoring some sessions, and posted the picture of the people logging into their myspace accounts.

There were also plenty of locks of different types you could try your hand at picking, and I spent about two hours (total) picking locks and BSing with other lock picking enthusiasts.

When I searched for networks on my laptop in our room at Circus Circus (what? I didn't buy the tickets!) I found an open access point which, once connected to, redirected you to a pay-us-$11-per-day-per-computer-for-24-hours-of-internet-access webpage. I clicked around and found that you could sign up for the access by credit card, through the TV, or by supplying your last name and room number (Yes, really.) Since the router was not letting me access any other parts of the network, I couldn't find an authenticated user to pretend to be, I began picking through the page to find out how to script an attack against it. I told the friend I came with what I was doing, and a visitor (non-hacker) wondered why I didn't simply pay the $11 dollars. To which I replied, "We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons" It's just $11, it's not like it's that much. Exactly, if it's not that much, and I shouldn't mind paying it; then they shouldn't mind me NOT paying it. So I got some input on common last names, and went to town... Unfortunately there was apparently an issue with my script's success testing (which I blame entirely on lack of sleep!) which caused it to continue trying even if it was successful. So, I extend my apologies to anyone who attended Circus Circus last Saturday who had the last name Smith with a room number in the low 12000's; Rodriguez in the low 10000's; Franklin in the low 14000's; or Gray in the low 17000's. I understand there may have been a possibility that you could have incurred a charge for internet access you did not specifically request. But hey; it's just $11... though, thinking about the hackers I saw staying at the same casino, and the fact that this system was so easily defeated; I imagine a whole hell of a lot of people with common names were probably charged for internet access... I'd wager there were even enough for Circus Circus to simply NOT charge anyone for the internet access they supposedly purchased... (I feel a bit better) :-]

PS: thanks to Hack a day for the free T-shirt!

No comments: