Re: DC17 Network - Wrap-up

After Moxie's presentation, I counted myself lucky that I was never able to get a valid SSL certificate for Gmail from multiple rooms beforehand.

Re: DC17 Network - Wrap-up

Can you imagine what the 3G network performance would be like if there was no Defcon network?

The Defcon network must stay.

Re: DC17 Network - Wrap-up

Iused the Defcon network extensively this year, but I also took some precautions. I set my browser to use a ssh proxy most of the time. I turned off cookies. I ran the browser in Firefox's privacy mode.

I did not connect my cell phone to the Defcon network because I have not yet looked into the kind of traffic it generates. Specifically, I wondered if the Twitter clients used SSL. As it turns out, that was one of the big issues this year.

Sniff the traffic on the hotel network and sniff the traffic on the Defcon network. You'll see there was a pretty big difference. The Defcon network is pretty solid.

Re: DC17 Network - Wrap-up

You also forgot "disable flash because there are known vulnerabilities, and you may screw up and have your web surfing outside your tunnel once until you notice on your TCPdump you have running" and "You can't use the Riv or Circus Circus net at all because the login/welcome page will require you to use your web browser directly rather than through a secure tunnel".

Which is, of course, about 3-5 hours of clock time (of which, 2-4 hours is attentive time) when you include creating temporary accounts for your tunnel, partitioning your working set so you have whatever work you need, creating a new temporary version control archive, etc etc etc. Which, in the end, creates a computer that may be far more limited than you are used to, because, eg, you don't have a cool piece of example code on your temporary hard drive when you want to show it to someone.

And then you have devices (*cough* iPhone *cough*) that could not be hardened prior to Defcon. You can't run a normal iPod touch's web browser through SSH. Heck, the only normal web browser you have is the festering POS called Safari. While Blackhat just showed some SMS p0wnage in the iPhone.


Finally, for all the great work of the networking goons, the Defcon network it is not secure, and can not be made secure: Any broadcast network (which WiFi is, with no password or with known preshared-keys, either way) is insecure: there is no such thing as a only can be passive eavesdropper on such networks, meaning it is absolute trivia to inject an iframe into someone's browser sessions should they have the gall to visit Google over http. Oh wait, there IS no https:// option for Google.

Yes, it can happen at your local starbucks, but it will happen at Defcon.


So how many people would use the Defcon network if the Wall of Sheep added the following logical addition: Packet inject a 302 redirect to an "HTTP is bad, mkay" page for the first HTTP connection from that ethernet MAC?

After all, the Wall of Sheep is a benevelent attacker, which is acting as a teaching experience. So why shouldn't the Wall of Sheep do what people are probably already doing on the floor, but just make it visible to people?


In the end, this is exactly what Peter Gutmann's talk was about. The geek solution, although effective for us, does not and can not apply to most people. I loved the Defcon network. It works great, the bandwidth is good, and I don't have to worry about things because I did set myself up right.

But although the Defcon network is a wonderful service, and should be maintained, for most people, and these days, even most attendees, the simplest security measure is to just leave the computer at home, and advising them to do so is the right answer.

Re: DC17 Network - Wrap-up

People are acting like getting a box owned at DefCon is the end of the world. Use VPNs or ssh tunnels, don't leave any ports open, and depending on how much "omg this is top secret informations" you have on your computer, maybe back it up at home and reformat before DefCon. (Also, no one cares about the porn you have on your computer... except maybe the FBI... you know who you are).

I don't know about anyone else, but the 3G on my phone was complete shit inside the riv, the wifi let me see all the tweets and whatever so I could go, "OH NO, KILLER BEES IN THE POOL."

I vote to keep the wifi, and make fun of anyone who gets hysterical about DefCon making your computer eat itself alive.

Re: DC17 Network - Wrap-up

Or you could just bring a fresh install of your OS of choice, don't save any passwords or log into anything important on it while on the DC network or (more importantly) the Riv network, or *sigh* the Circus Circus network and you'll be fine lol.

After attending the Networking talk on Thursday, I'd have to agree with jeffgus...the DC network was probably the more secure option between the local wifi and it. Tell the boss to spring for a 3G card if you have to work from there!

I'm still amused at some of the names I saw on the Wall. I had a nightmare one night that my DC forums log on was on the Wall and I got banned. Why can't I have dirty sex dreams instead of stupid pointless nightmares? *sigh*

Mel

Re: DC17 Network - Wrap-up

Ever since Defcon purchased the wireless access point controller the wireless network became much much reliable. I attended the Defcon network talk and based on what I saw, I would trust the Defcon network over the hotel network.

This weekend my office lost power (of course it has to be the week I'm away). I used the Defcon network extensively to correct a couple of boxes that didn't come up correctly after the power was restored. Although I did lose connectivity a few times, it was nothing like the early Defcon networks.

Now if we could only take over the hotel CATV system.

Re: DC17 Network - Wrap-up

i think the wireless should stay for one reason.

wall of sheep.

it shows alot of people how insecure their stuff is, and for alot of people not being shown means they will not make any effort to change.

Re: DC17 Network - Wrap-up

One random thought might be a "deauth detector" in an iPod touch or similar device with a Wifi connection and accelerometers, allowing you to swing towards the source if they are noisy for final positioning, with the coarse positioning from your air monitor infrastructure.

(I did a prototype wifi tracker like this on a Nintendo DS with an accelerometer card, pitty the DS has a sucky wifi chip.)

There was also the WiFi Fishtank AP set up (which hit me, stupid mac tries to associate with it even though the recorded AP was WPA-PSK), that was annoying but deliberate, so I'll forgive them that.

Re: DC17 Network - Wrap-up

I very much like the wireless network, I used it heavily and think its an incredibly useful resource. In fact, far better than crappy hotel networks that require you to use a gateway.

But I hate to say it, "dont use the network" was advice most SHOULD take. Until Friday, there were known zero-days in flash being used in the wild, etc etc etc. That ~100 MiTM/hour figure means a potential ~100 ownages/hour if people had Flash enabled.

True, you can get p0wned just as easily when you connect at the local Starbucks (easier, in fact, because you can't just tunnel all web traffic from the start), and there are other networks at conferences which in practice are probably far more hostile than Defcon.

But the density of attackers is a lot lower in the real world. Come in with an out-of-the-box Vista install fresh from Worst Buy and do a bit of light websurfing at Starbucks? You'll probably get away with it. Not always. But probably.

Do it at Defcon and you're owned in 5 minutes.

Nobody is going to waste a new zero-day at Defcon. (They will at some other places I can think of). But there are plenty which will happily use known vulnerabilities, and we were at a Defcon where day 1 had "known and unpatchable" vulnerabilities in Flash.

Re: DC17 Network - Wrap-up

Cool, thanks for that. DHCP is an issue due to the sheer number of AP's we have (Luiz can explain it well - seems to be an "industry problem" when having that much wifi coverage in a limited space).

I'll have to spend some time talking to wifi experts about the association issues. Some of it is certainly people around you being naughty, sending out DEAUTH packets - which prevent you from having a good association. Will have to dig around to see if there's any decent way to deal with that.

Re: DC17 Network - Wrap-up

Apparently it worked for other people, but for me and the people I was with, we had difficulty getting connectivity at all, much less the awesome download speeds and such.

Sometimes, I couldn't even get an association, but most of the time, I would associate, but wouldn't get a DHCP lease.