I don't know enough about hacking and odds are you don't, either. I set out to learn more at DEF CON, a hacking conference with enough discussions on civil liberties, ethics and philosophy to delight a liberal arts major.
This weekend was the 21st installment of the annual Las Vegas event, which has swelled from around 100 people to nearly 15,000. It was also the first gathering since Edward Snowden leaked documents that put shadowy corners of our government and security industry squarely in the spotlight. Major national privacy stories landed the day before and after, raising more questions about how much our government knows -- or could find out -- about our lives. "Hacking" means different things to different people, but it certainly includes broad surveillance by the government and others that could violate your privacy in emails, phone calls and other technologies we all depend on.
"Journalists should take note, whistleblowers should take note, innocent people who never do anything illegal should take note," Melissa Elliott cautioned a large crowd during her presentation on unintentional radio emissions. She had just explained how common devices like keyboards and computer screens give off faint signals from their wires, meaning an antenna could hypothetically capture what you're doing and completely bypass encryption. Her results were limited, but so was her budget. The NSA presumably doesn't use spare parts from a cheap radio.
One longtime attendee, going by the name Agent X, offered a simple litmus test for who should pay attention to what goes on at DEF CON: "Do you use a computer?"
Our cars are filled with computers these days. A pair of researchers, Charlie Miller and Chris Valasek, demonstrated how they took over a staggering number of them in a 2010 Ford Escape and 2010 Toyota Prius. Laughing all the way, they used a laptop to yank steering wheels and seat belts, turn off brakes, turn on horns, and generally have fun with their poor test drivers (usually themselves, sometimes a reporter). Their methods and presentation were fun, but the safety risks gave it a serious undertone. When they needed help, mechanics would tell them, "We've never seen this before." That may change now that they're releasing their work online, calling it a "Swiss Army knife" that could allow others to do in hours what had taken them 10 months.
In another session, a speaker named Zoz rattled off a list of ways to manipulate driverless cars. In other words, technology that's probably years away from public use has already been thoroughly dissected by hackers.
It seems the only thing that will never be done with computers is DEF CON's registration. These privacy gurus must know something we don't. Walk up to the door with $180 cash and they hand you a badge, no questions asked. That's it. For the same price as an evening at certain Las Vegas shows, you get up to four days. Each session had the potential to be everything (or nothing) like an extended TED Talk. Most had a strict 45-minute time limit, usually five at once -- simultaneously with an array of "villages" (picture ongoing workshops on lockpicking and wifi hacking) and contests. You could get exhausted or dizzy, but not bored. The diversity of topics made it easy to find sessions I could understand. I didn't need to know my PGP fingerprint from my elbow.
WHAT CAN HACKING MEAN FOR YOU?
Morality, not machines, ruled many conversations. Alex Stamos, giving a talk on professional ethics, implored his audience to "live an examined life." I'm not sure if he was channeling Socrates or an engineer. He insisted that "all people deserve for their technology to be trustworthy" and, after discussing medical oaths, told the the crowd, "We are the technological priesthood of the 21st century and perhaps of the third millennium." An interactive portion of his session made it clear that many viewpoints were welcome, but a recurring refrain from speakers and attendees was that citizens should be entitled to more privacy and the government entitled to less.
Enter Christopher Soghian, a technologist at the ACLU, whose speech on hacking by the government filled every seat in a three-tiered theater normally used by Penn & Teller. While the NSA had been making more headlines in recent weeks, he shared eye-opening revelations about the FBI, their Remote Operations Unit and various contractors. A primer on FBI (i.e., domestic) hacking efforts was published a day earlier by the Wall Street Journal.
Noting that Silicon Valley appears to make security a larger priority than traditional telephone companies, Soghian explained that popular business models still present challenges for consumer privacy. Gmail, for example, offers encryption while your data is being transmitted but not while it's stored on their servers. Why not go all the way? It's an advertising-supported service at no charge to you. How else could they serve targeted ads if they can't scan your email?
It's possible to increase your privacy, though it often comes at a price. Without giving any formal endorsements, Soghian pointed to services like Silent Circle for communication encryption starting at $10 per month and SpiderOak for cloud storage with a similar philosophy and fee. He uses Pretty Good Privacy, which can cost no more than your time -- but it can be difficult to learn. PGP was Snowden's first choice to leak documents about NSA surveillance to journalist Glenn Greenwald. Soghian's business card even references his PGP fingerprint, which helps encode messages to him and verify if messages are really from him.
BEYOND THE HACKERS
A book by longtime DEF CON speaker Richard Thieme, UFOs and Government: A Historical Inquiry, was the foundation for another popular session. He dismissed common cliches and noted that little is really known about UFOs. Instead, he turned his focus to different ways agencies respond when "credible people have seen incredible things" (as he quoted an Air Force major general from 1953). While it seemed like a departure from hacking, Thieme was actually right on topic: The feds want to keep their business private. That had extra significance in a year when we've discovered how much the government wants to know about ours.
DEF CON made headlines last month when founder Jeff Moss, better known in this community as Dark Tangent, asked the feds to stay away. The request came in the wake of tension involving Snowden, who was clearly a hero to many attendees. Traditionally, government employees mingle openly with hackers, some likening it to an informal job fair.
Feds were probably in attendance, anyway, but they were more welcome at Black Hat. Also founded by Moss in the '90s, the separate four-day conference takes place immediately before DEF CON in another part of Las Vegas. It's a tad smaller and is targeted at the government and business security industry. With big-name sponsors and registration fees of $1,795 to $2,595 depending on when you sign up, Black Hat seems to appeal to a different audience (I didn't make it myself). The t-shirt clad crowd at DEF CON, which sees itself more as a community, generally referred to Black Hat as "corporate."
For about a tenth of the price, DEF CON shouldn't just appeal to hackers but to anybody interested in technology, privacy and security. A longtime attendee and organizer who goes by the name Dead Addict said that college professors started bringing their students at least seven years ago. For the third year, DEF CON hosted a conference-within-a-conference for kids. Some are wondering if it's becoming too tame, but it's certainly high value. I can't see why the "real hackers" can't keep their core community (sometimes described "like a family") while others learn as well. New and veteran attendees both seemed enthusiastic.
Unfortunately, women were underrepresented at DEF CON -- at least as badly as the ongoing disparity in the fields of science, technology, engineering and math. While organizers don't keep records to track demographics (remember the registration process?), it's glaringly obvious in the convention halls and even bathroom lines. Given the price, the event could be used as cost-effective stepping stone for women who want to get involved in STEM.
In the meantime, DEF CON impressed by packing rooms with people who are intelligent and care about the world around them, then giving them cutting-edge speakers who know how to make an audience laugh. The conversations ran a gamut of emotions (not the least of which: inspiring) and were accessible for the uninitiated. Check out some videos when they go up on the website. If you've made it this far, hopefully you want to learn more -- maybe you even want to go next year. I do.
Follow Adam J. Rose on Twitter: www.twitter.com/adjoro