Re: Pretending to be a goon (as seen on dc-stuff)

pretty neat read... and one that exposes the overall theme of so many security compromises: it's not the elegant, well-crafted, cat-burglar style attacks that tend to get you, it's the simple sidestep around a security measure that no one thought of (usually due to it being so low-tech) which tends to let someone or something slip past.

i'm impressed more with their ability to have done this on the fly and at no cost (also, it seems, without a car to take them to a hardware store) than with their ability to think it up.

it also made me very happy reading priest's reaction. he did what i and most others would feel is totally appropriate... confiscated the false credentials but issued them another regular "human" badge the following day. after all, the guy (albeit in a feat of drunken bravado) was forthright about his social engineering and badge hacking and meant no harm.

contrast this with the HOPE staff who absolutely wanted to eviscerate BobCat, Laz, and others (i'm fairly certain tommEE pickles was their intentional havoc elsewhere) for temporarily taking the big metal "H2K2" letters and then returning them at HOPE 2002. totally uncalled for reaction, in my opinion, since our community (the HOPE crew, included) revels in exposing security flaws in ways that are both humorous and harmless.

Re: Pretending to be a goon (as seen on dc-stuff)

I also saw a badge that had one half of one white side shaded in red sharpee. From a distance it looked just like half a goon badge.

Someone should really think about this when designing the badges...

Re: Pretending to be a goon (as seen on dc-stuff)

Yes but this happens nearly every year (with the possible exception of the translucent badges) and Defcon hasn't come to a crashing halt. I remember the year we had metal badges, someone walked to Kinko's, dropped it into a photocopier, and turned the tint to red. The copy was simply paper, but it looked fine at a distance.

Then there are those people that talk their way into getting a speaker badge (which carries its own privileges).

In the end, it's the human end of security (i.e., the goons) that is the most effective. The badges themselves are mostly a cute way of branding people.

Re: Pretending to be a goon (as seen on dc-stuff)

Yeah, you got it. We try to make them hard to copy.

I go with a "time value" system.. if it takes you two days to get the parts and figure it out then that is long enough.. you deserve to get in.

Yeah.. the photocopier is mighty. Remember the lenticular badges that changed based on the angle? You can't duplicate them in a weekend, but you can photo copy them.. and at a distance they look real.

It all comes down to our crack team of Goons. They can tell a badge is fake if they get their hands on one.

There is some guy that claims to have duplicated all the badges from DC7 or 8 onwards. I would love for him to give a talk about it.. what was hard, what was easy.. and then show off the fakes next to the real ones. If anyone knows who this mystical person is, please have them contact me.

Re: Pretending to be a goon (as seen on dc-stuff)

that would be pretty damn hard with the badge from DC9, if i'm recalling it correctly... the ones that were sort of a rounded trapazoid shape and were filled with lava-lamp style fluid and gel with plastic bits floating around in there for good measure.

Re: Pretending to be a goon (as seen on dc-stuff)

Hey Guys,

Just dropping in -- glad you guys got a chance to check out my article. I had a great time writing it (and DC14 in general)

I just wanted to say that Priest sent me a note today, and solidified his place on my "cool" list. Priest, if you catch this post -- you don't have to worry about me trying anything like that next year (not saying that I don't have other things planned ) Yeah it was nice walking around with a "red badge", but I think in the future any other colored badge I wear shall be earned. (Not ready to give up my H&B if you know what I mean)

I appreciate the compassion that was shown, and look forward to DC15.

++Bill

Re: Pretending to be a goon (as seen on dc-stuff)

I like that you simply got past security and that was that. You did not throw switches, pull wires, turn dials or call in air strikes. You simply got in past security and that was that. Kudos to you.

When I was issued my badge my first through was about someone getting spray paint to counterfeit it. Iam sure many people thought of that, like making money on a copy machine, but no one would actually do it, because we have all seen the mission and methods of the G.I.A. (Goons In Action). No one wants to be on the wrong end of Priest, Noid, Flea, or many of the other staff members. I'm glad your head wasn't handed to you.

On the other hand I wish I had met you at the penthouse party and seen your work. Maybe next year.