July 31. A return to Las Vegas, lost in the hot desert sun. I am in town again for Defcon, the annual gathering of the hacking tribes-criminals, libertarians, computer security gurus, a few Feds... The usual suspects. I arrive at about 7 and am dazzled by the changes in Las Vegas. Hotels have sprung up all over the barren desert terrain. The Riviera is advertising its "no ifs, ands, or - Butts" policy with a row of beautiful female derrieres on a fantastic billboard. Erin and Evan Horvath announce, on another billboard, that they've just gotten married. But hey, at least it's a tasteful billboard. I wonder if they're registered. Perhaps I ought to send a wedding present. At Treasure Island, one of my haunts in town, I go out to walk the casino and to have dinner-my reservations are at the Bay Club at 2130. The Casino is filled with beautiful young generation X-ettes; a striking blonde in coochie hugging black shorts under a very short bare midriff top is playing at the high stakes roulette wheel. When I return several hours later she will still be there. She's either lucky or well financed. At the "Battle Bar" a girl is celebrating her birthday by drinking Belvedere martinis. I buy her one for good measure, then head up to dinner. I feast on prawns and lobster bisque, and chicken with Jordan Cabernet to wash it down. At the meal's conclusion I lean out the windows and watch a pirate ship sink a British man 'o war, after both are nearly destroyed in battle. I root for the pirates-must be my rebel instincts. I am amazed to see the British captain actually go down with his ship, but even more amazed to see him magically resurface, alive, a few minutes later. Las Vegas can do weird things to Reality. * * * Down to the casino for a few hours of blackjack. I lose $95 but at least it takes me awhile! * * * August 1. To the Plaza with a Cabbie from my home town-odd coincidence. Inside I search for the conference and decide that a couple adolescent boys will lead me to it-but they don't know where it is either. We decide to follow the "geeky lookin' guys" up ahead and darned if they don't lead us right to the spot. The lads ask me where I'm from and I name one of the Bell Operating Companies, saying "Don't tell me anything I don't wanna know". They seem dubious until I show them my ID. They tell me they have had some experience with our NT administrators, and have a pretty low opinion of them. I'm not surprised. * * * After I hassle with registration, which has hit an ungodly $40 this year, I check out a room of merchandise. Tee shirts that read "Big Brother Inside" in the style of the "Intel Inside" logo, books on cracking wireless telecomm, establishing new identities, spying on people, Secrets of the Legion of Doom hacking group. CDs of warez or viruses. A tee shirt in the FedEx colors saying RegExp, another one in red and yellow displaying the Royal Dutch Petroleum "Shell" logo, with the phrase "/bin/sh" under it. Interesting stuff but nothing I'm in the market for. * * * In the conference room there's a "Free Kevin" sticker on the podium, a reference to Kevin Mitnick, hacker whom many feel was unjustly persecuted by Law Enforcement. Later in the day I will see people who've morphed the stickers into the phrase "Free Kevin with every Happy Meal". The crowd is huge, much larger than in ''94, but I find a place to sit in time to hear D'arc Tangent announce that an IRIX box was the first cracked in the "Capture the Flag" hacking contest. * * * "Why do we keep coming back to Defcon? Because we want to color outside the lines. Because we want to Know" -- R. Thieme * * * Our keynote Speaker, Richard Thieme, takes the stage at 10:00. He fires up the crowd with a speech that can only be described as Norman Vincent Peale meets Hunter S. Thompson. He talks about the social implications of hacking, jumping from topic to topic like a cubist on speed. He describes hackers as those who really want to know how the world works. But in the digital world of today, the constant construction of reality that is possible makes it difficult to know a hacker's ultimate allegiance. And it is not what you know or do, but rather your perceived allegiance that is a threat. He tells us of a young hacker in an unnamed European country who makes a living from his hacking skills, breaking into financial computing systems to test their security. He does this with the Banks' blessing. A legitimate allegiance like this makes his hacking "allright". But hacking for its own sake is not "allright" as far as the public is concerned-most people are actually scared of knowledge in today's world. And they are socialized to such an extent that they believe the media's demonizing characterizations of hackers without question, and despite the facts. Indeed, Thieme defines socialization as that state in which you do not even see things that would not be validated by mainstream social consensus, even if those things are happening right before your eyes. This seems to me to adequately describe the nation of media-sheep that we have become. Next Thieme goes on to attack the mainstream media itself-a rather easy target. The Wall St. Journal, he says, aims its literacy level at the Ninth Grade, and this is considered profoundly high. Everything else is much more watered down. In the back of my mind I can see a day when the news headline reads "President Does Stuff-Film at 11". * * * "All Great Truths begin as Blasphemy" -- G. B. Shaw * * * Thieme points out that many of the most important innovations of recent years were ridiculed when they were first proposed-the PC, the Internet. But all of these great ideas came from the fringe, from "Hacker Territory". As Nick Machiavelli said hundreds of years ago, one of the hardest tasks is to take the lead in the New Order of Things. Thieme believes that this is the hackers' destiny-to take the lead. He goes on to show the power of information in today's world. His examples are of information warfare. First a famous picture of a Cuban soldier gloating over a raped woman in Angola in the late '70's. This image, he tells us, was totally fabricated by the CIA-the Cuban and the woman were never even in the same country! More recently he points to the United States' will being broken in Somalia-by a 30 second videotape of two dead Rangers being dragged behind a jeep. Yes, information can have a major effect on events in today's world, and hackers may have power over that information. But, he asks the crowd, What is your intention in Hacking? His is simply to know the Big Picture. As he said of hackers at the beginning of his talk, "We want to Know". * * * "If you understand UNIX, you understand the Universe. If you understand Windows NT, you understand-Windows NT" -- R. Thieme * * * D'Arc Tangent takes the stage again and says "Here's something bad to do-when you're in a major Hotel in Las Vegas, with security cameras everywhere, you don't want to throw a lit road flare into an elevator which just happens to have a security guard in it". One of our conference attendees did this. He didn't last long. * * * Bruce Schneier, author of "Applied Cryptography", is up next to speak on "Tradecraft in Public Networks". Tradecraft means "covering your tracks". While cryptography is concerned with hiding the contents of a message, tradecraft, or steganography, is concerned with hiding the very existence of a message. Why is he interested in this? Why, from reading the "Hardy Boys' Detective Handbook", of course! Once upon a time this venerable tome taught him how to tail someone, how to case a crime scene, how to fingerprint. There were a lot of skills used in traditional Cold War spying-such as tradecraft- that today's hackers don't even know about. He sets out to remedy this. His basic question-how does a person hide their actions from an adversary that is extremely well funded-for example the Chinese government. Or even the U.S. government. This has traditionally been a battle of wits, but today it's turned into a battle of technology. The devices available to governments are truly amazing (or frightening, depending on your viewpoint.) He tells us about the rescue operation at the Japanese embassy in Peru, taken over by the Tupac Amaru terrorist group in 1996. The rescue operation was flawless, aided in large part by intelligence gathered from microphones on the buttons of the clothing brought in by Red Cross volunteers for the hostages. So, how to preserve the privacy of one's actions in the face of increasing governmental capabilities? For many, such as Chinese dissidents, the East Timorese (victims of an Indonesian invasion and genocide) and many other oppressed groups around the world, this is more than just a rhetorical question. Schneier tells us about some of the basic techniques of Cold War tradecraft, such as the "Dead Drop", in which information is placed in a known location by one person, and another person picks it up. For example, you might pass information in a crumpled up cigarette packet near a wastebasket, or in a note taped under the shelf in a phone booth. This technique is useful because it both conceals the transmission of a message and prevents people from turning in their contacts, since they don't know who their contacts are. Similar to the Dead Drop is the "Live Pass" where perhaps you get on a crowded bus, and someone may-or may not-place information in your pocket. You, as the recipient, don't pay any attention to this information, of course, until you're safely "home", wherever that may be in the circumstances. Another tradecraft technique along these lines is the "Semaphore". You might walk past the same mailbox every day; but if one day you see a chalk "X" on the mailbox, it means something-perhaps you are to leave town, or call a pre-arranged phone number. How to accomplish these kinds of information transfer on the Net? You could post something to a news group, for instance a particularly good chocolate chip cookie recipe in rec.recipes might mean something important is happening, or that some action is to be taken by the "recipient". This is like a Dead Drop because no one knows who's picking up the information. Additionally, it obscures the existence of a message. And this is key, for the big problem for surveillance agencies is not so much decrypting data, but rather deciding which data is important. Steganography is the technical name for the science of hiding the existence of a message. There are several ways to accomplish this on the Net. An example-hiding a message in the low order bit of a gif image. There are steganography tools available that will do this. But now the fun begins. What if you're a Chinese dissident trying to pass information to Amnesty International this way? If you've never sent a gif image before this will immediately arouse suspicion. Is it possible for the Chinese government to scan the Net, looking for the same image with slight differences in it? Of course the answer is "yes". Really the only way to get this to work is to take a photograph yourself, so it won't appear anywhere else on the Net, scan it in, encode information into it, and send it. And you better have a plausible cover story for sending it! * * * "A spy always assumes that his person or house will be searched" -- B. Schneier * * * Schneier now changes gears slightly to talk about hiding places. There are two kinds of hiding places, deep hiding places, which may take an hour or more to access-these may be inside a wall or buried under concrete-and "slicks", places to dump something quickly. A slick might be inside a curtain rod, for example. As Schneier says, anyone who has ever been a teenager has made use of slicks. In computing there are a few ways to hide information. He mentions the Deniable File System-this is preferable to simple encryption, because it's not obvious it's there. Moreover, all forms of encryption are susceptible to "Rubber Hose Cryptanalysis"-you simply beat the key out of the victim. The problem, though, with Deniable File System is that you can set it up so the goons never know they've gotten all your data, so they'll never stop beating you. Schneier reminds us that we're dealing with an adversary that's not going to behave by any reasonable set of rules. Schneier describes what he feels might be the best method of hiding data, a "panic button" system which, when activated, encrypts files with the public key of someone in the Amnesty International office in the UK. This is much better than a system that erases files, because false alarms, he says, "are a drag". At this point, having covered the basics of tradecraft on the Net, Schneier opens the floor to questions. His answers are most illuminating. We learn that 56 bit keys can be broken in 2 1/2 days and that 64 bit keys are also vulnerable. 96 bits is probably the bare minimum for security. 128 bit keys will probably always be immune to brute force attacks, as these currently require more time than the age of the Universe. But he notes that keys are probably not your weakest link. In PGP it might be your pass phrase. We learn that Electron Tunneling microscopes show up to 7 generations of data on a disk. If you really want to destroy data he recommends overwriting it 15 times. When the government wants to destroy classified data it tosses the disks into a metal shredder. There is a question about archiving data on the Net-which actually makes a great hiding place. Schneier suggests getting a 50 year old copy of Playboy [N.B.-Playboy has only been published for 45 years] scanning the centerfold and other pictures, inserting steganographic data and uploading or posting these images where they'll be permanently archived. Although this technically is a copyright violation, it is somewhat akin to the common spy technique of having a slightly illegal cover story to mask highly illegal activities. We learn about Peter Wayner's "Mimic" functions, which can encrypt your data into meaningless chatter about baseball, for example. This works well against automatic computer scans of all of USENET. Someone asks, "How much security does the 'lock' feature of a zip drive give you?" The answer: "None. Zero. Zip." The questions follow Schneier out into the hallway as he leaves to make way for Ian Goldberg, a graduate student at UC Berkeley. Ian, who sounds to me like a Canadian, is here to tell us about digital cell phone hacking. But first he talks a bit about analog phones. Analog phones, he says, have basically no security. They transmit everything in the clear. Privacy protection in the analog world is essentially legislative-and we know how well that works. Digital cell phones should improve this situation, as they allow for the addition of cryptography. But this, unfortunately, hasn't been implemented very well. Ian concentrates on GSM, the current European standard which is gaining a foothold in North America with such services as Pacific Bell "Pure Digital" PCS. There are at the moment 80 million GSM users worldwide. There are projected to be about 20 million digital cell phones in the United States by 2001, a mix of TDMA, CDMA, and GSM. As long as analog phones are more popular, and digital scanners remain more expensive, Ian predicts that attacks on digital phones will not be common. He tells us a very interesting thing-that the various digital cellular systems all share similar security properties-the most important being that encryption is used only between the cell phone and the base station. After that point traffic is carried in the clear. If the FBI or other law enforcement agency wants access to cellular telephone conversations, they can just tap at the base station as long as they have the appropriate Title III warrant and CALEA says the telephone companies must comply. So the ONLY reason law enforcement would push for weak encryption is because they want to do illicit taps. This sounds reasonable to me-and apparently to the rest of the audience as well. At this point things get technical. Ian outlines the following encryption algorithms-CAVE, which is used for fraud protection, and is still unbroken, an XOR mask-which in actual use is basically ridiculous since the first packet sent in either direction is defined to be silence so you know the plane text and you know the cyphertext-breaking this is trivial. And then CMEA which is used for encryption of the control channel information. CMEA was first broken a couple of years ago and can in fact be broken in real time. Ian tells us that these algorithms were designed in secret with input from law enforcement, with the result that all of these algorithms are broken. The GSM session encryption algorithm, called A5/1, purports to be 64 bits but is believed to be much weaker than this. He notes that work is underway to redesign the North American security architecture, and that this time it will be an open process. But he concedes that voice privacy will never be fixed since the NSA has mandated (and where did they get the power to mandate?) a weak encryption process if manufacturers want to export their phones. And in practice the algorithms in use may not even need to be cracked-many providers use an all 0's key. This is of course quite susceptible to the "known key attack". In addition, many older base stations don't have encryption circuitry in them anyway. The industry currently relies on the relative abundance of analog cellular phones, which make easier targets, and the expense of digital scanners. There is, Ian tells us, one major difference between GSM and the North American digital cell phone standards. In the North American standards your identity is programmed into your phone. With GSM your identity resides on a smart card called a SIM (Subscriber Identity Module) which can be moved from phone to phone. It is the SIM that carries authentication information. In order to authenticate itself the SIM sends a 128 bit International Mobile Subscriber Identifier (IMSI) to the Base Station (BS), which forwards it to an Authentication Station (AS). Note that if communications between the AS and BS are in the clear they may be intercepted and used to make digital "clones". The AS picks a random number, performs two hashing algorithms on it (A3 and A8) and sends the random number and the hash results back to the Base Station. The Base Station forwards the random number to the SIM, which performs the same calculations. If the results match the phone is authenticated and may now send or receive calls. In addition to snooping on the BS-AS link you may also find authentication information in computers at the BS or AS. It is also possible to directly interrogate the card for its authentication information-but you need to have it physically in your possession. While this may at first seem far fetched, it is quite easy to do-in most parts of Europe you can rent a digital cellular phone. You could clone it using an interrogation mechanism overnight (cloning takes about 8 hours) and then return it. If you overclock the SIM you can clone it in about an hour. Note that in Israel there is a device in movie theatres and opera houses which automatically registers cellular phones to a non-existent network-essentially by masquerading as a Base Station-to prevent them from ringing during performances. This system could conceivably be used to clone every phone in the theatre! While GSM claims to have really good fraud protection, in reality, Ian tells us, it has none. Since GSM phones are impossible to clone, why bother protecting them, right? Although you cannot have two active conversations on the same (cloned) phone at the same time, you can have two cloned phones on at once. Incoming calls tend to go to whoever placed the last call. How to clone a digital phone? If you've got the secret key from interrogating a SIM you can just program it onto a blank SIM. The problem is, blank SIMS are hard to come by. Fortunately, there is a device called a SIM-12-a card reader/emulator-available for 70 pounds from ww.maxking.com. You simply slide this into your phone, plug it into your PC, and your PC emulates the smart card in software. * * * D'arc Tangent takes the stage to let us know that the "Pierce-a-Thon" has been moved to 5 PM today. * * * I wait in the audience, sitting next to a young hacker whose name tag reads "Johnny Zen", for Jennifer Grannick to take the stage. Jennifer is a defense attorney who frequently takes the hacker's side, and I am very curious to hear her speak. But I'm also a little dubious, as we all know there's no such thing as a good lawyer. Johnny Z. reassures me though-he seems to have a very high opinion of her. Jennifer turns out to be a young law-babe, dressed entirely in black, as befits this conference. She is here to tell us a cautionary tale for hackers, so that people will know what's legal and what's not. So that people will know what not to do. Jennifer tells us that she got a call last week from the FBI. They wanted to know what she was going to tell us. They thought if she told us how not to get caught it would encourage hackers to go out and commit crimes. They thought this would be very irresponsible of her. Was this a veiled threat? Most probably. Although in this the 6th year of the Klinton Dictatorship the agency doesn't usually bother to veil its threats anymore... Jennifer begins with the tale of Mr. Salgado otherwise known as "smack". Mr. Salgado exploited some known flaws in the operating system used by an unnamed ISP, installed a packet sniffer and began collecting logons and other information. Eventually the ISP system administrator noticed this packet sniffer and tried to preserve the necessary information for a prosecution, but Mr. Salgado just happened to be logged on at the same time and he successfully erased his tracks. At this point Mr. Salgado had a collection of credit card numbers of the ISP's customers, and the ISP had no evidence against him. Unfortunately Mr. Salgado decided that he wanted to sell these credit card numbers, and he bragged about the incident on IRC. Things now begin to resemble any non-computer-related case involving dealings in contraband. The FBI was contacted. They in turn got a snitch. The snitch bargained to buy the credit card numbers. There was an initial sale of just a few numbers, and then the snitch arranged a face to face meeting to conclude the transaction-in the smoking lounge of San Francisco International Airport. Why at the airport? Well as it happens the smoking lounge is past the metal detectors, so this way the FBI could be sure that Mr. Salgado was not carrying a gun. The arrest was made and Mr. Salgado was charged with violating 18 USC sec. 1030-unauthorized access and 18 USC sec. 1029-fraud relating to unauthorized access. Sentencing is related to the value of the property stolen. The US attorney wanted to take the average credit limit and multiply it by the number of credit cards in Mr. Salgado's possession, which was approximately 10,000. This would have given a value in excess of 250 million dollars. The final figure agreed on was much less. It is interesting to note in this case that the FBI played up the use of anonymity in getting their snitch in contact with Mr. Salgado, and also the encryption aspects (as Mr. Salgado had encrypted the credit card numbers)-as evidence of the high tech nature of the crime and more importantly of their response to it. As Jennifer tells us, though, this was simply old-fashioned police work. There is nothing high-tech about a snitch. Jennifer continues with the LaMacchia case from 1994. Mr. LaMacchia used his account at MIT to set up an encrypted Bulletin Board System. He apparently encouraged people to upload warez (pirated copies of commercial software) and to download them for free. The amount of traffic on this BBS drew the attention first of the University, and then of law enforcement. Mr. LaMacchia was arrested and charged with wire fraud per 18 USC sec. 1343. But his lawyers argued that this was a violation of copyright, which at the time was not illegal if the activity was not for profit. Mr. LaMacchia was acquitted. This case almost certainly contributed to the passage of the Electronic Theft Act of 1997 which criminalizes willful infringement of copyrighted material worth at least $1000, even if this is not done for profit (18 USC sec. 2319, 17 USC sec. 506). An audience member questions whether this would make it illegal to keep multiple distributed backups. Unfortunately there is no clear answer to the question. Jennifer continues with the case of Eugene Kashpureff. Mr. Kashpureff was an activist who was angry with Network Solutions, the company granted control (i.e. a government-sponsored monopoly) of DNS, the Domain Name System which controls host name assignment and resolution on the Internet. He exploited a loophole in the Internet software and redirected traffic to his own site, "Alternic", where he detailed the problems with Network Solutions. He also had a link back to the InterNIC (Network Solutions' own site). Mr. Kashpureff never made any unauthorized access, he stole nothing-his only crime seems to be that he bragged about what he did. He was arrested in Canada, extradited, and charged with wire fraud. Jennifer tells us that this shows how the statutes can be used in a really broad way. There is a lone "boo" from the audience. "'Boo' is right," she says. * * * "If you've got the knowledge, the books, and tools, then you're a threat." -- J. Grannick * * * She details a trio of new laws: 18 USC sec. 1831-the new Trade Secret law, is a felony punishable by up to 15 years imprisonment, if the owner of the trade secret has made "reasonable precautions" to keep it private, and there is value derived from its not being commonly known. 18 USC sec. 2510-the Electronic Privacy Act-criminalizes unauthorized wiretaps. It is a 5 or 10 year felony conviction. (I picture every fed in the room suddenly behind bars for the next 5 to 10 years. Nah, never happen...) This law also defines cell phone scanning to be an illegal activity. It does however include one extremely broad exception-a business is allowed to intercept communications on its own phone system if those communications are related to the business. Yeah right. 18 USC sec. 2701-Stored Communications-criminalizes access, theft, or altering of stored communications. These acts, between them, criminalize keystroke monitoring, eavesdropping on cell or cordless phones, and packet sniffers. Jennifer now tells us "What to do if the cops come to your door": 1. Just say "no". Don't say anything. There's never any good reason to talk to cops. (This is greeted with loud applause.) 2. Police are like Vampires, they have to be invited into your house. So-NEVER let them into your house; NEVER let them into your car. 3. If you happen to have something on you that perhaps you shouldn't have- NEVER throw it into the bushes. Keep it on you because the cops don't have the right to search you. DO NOT throw it into plain view. 4. Don't resist arrest-this is illegal. 5. Keep your hands visible at ALL TIMES. The last thing you want to deal with is a scared cop, and this minimizes the chance that they'll beat the crap out of you. Jennifer is a breath of fresh air-a lawyer who actually believes in the 4th amendment. (For those who have forgotten, this amendment reads, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.") She closes by telling us that the more people assert their rights, the less guilty asserting your rights will appear. * * * We now have a "Spot the Fed" session. Sure enough someone has fingered a member of the DOJ. Believe it or not he's the program manager for "Operation Get Cracking". Apparently Miss Reno wants to hire about 16 hackers to hack into other federal agencies. It is unclear what the purpose of this exercise is, but given the Clinton/Reno MO, it probably is to collect dirt on their adversaries in government. One thing I am certain of-it has nothing to do with securing government computers. Much to my surprise the fed actually asks the audience to contact him if they would be interested in jobs. There is a question from the audience-"Do you drug test?" This is greeted with much laughter. * * * "The Feds are not scared of 'Guys Like You'" -- Audience member to White Knight * * * White Knight steps up to tell us about illegal wiretap operations. He is, as it happens, an electronic countermeasure specialist and has run across a lot of illegal wiretapping. One September, a few years back, he got a call to sweep a facility in the lounge of a bank. This he did on Sunday, September 6th, and found a transmitting device on a payphone, which is illegal because you can't "minimize" it. [Brief digression-legal wiretaps must be "minimized"-that is law enforcement can't listen in to or tape conversations that are not related to the criminal investigation at hand.] Our hero had driven about 20 miles when he began to hear sirens. He stopped for gasoline and was suddenly surrounded by 8 cop cars, with police yelling in his face that they wanted their bug back, and threatening to arrest him. Among the jurisdictions involved-Tampa PD, the IRS, and the DEA. WK was more than willing to be arrested and to give his story, with a court reporter present. The cops said they didn't want the media involved and he said "Why? Illegal wiretap?" At this point the cops started hemming and hawing and looking down at their feet-definite "guilty" body language. They cited WK anyway, because they had to have a reason to search his van to get the illegal bug back. Apparently this wiretap was part of an investigation into the Key Bank, in Florida, which in turn was a part of the BCCI (Bank of Credit and Commerce International) investigation. WK tells us that the investigation of Key Bank was politically motivated, and that despite 65,000 instances of illegal taps in the case the only criminal activity turned up (besides of course the illegal taps) was that someone made a cash deposit without filling out the appropriate IRS form. WK shows us the wiretap reporting for the Key Bank case. There is no prosecutor's report-this is a violation of the law. WK tells us that Hillsborough County, Florida, seems to have more illegal wiretaps than anywhere else in the country. When WK went to investigate this case in more detail, he found that the State Attorney's office had to be sued to release the supposedly "public" records relating to the case. In them he found: * the warrant for this wiretap was never signed * the docket number was altered * no warrant in the entire case was dated by the judge. The point of all this? Even though there are strict laws governing wiretaps, law enforcement and government do not follow these laws, and are not accountable. The documents show that the warrant for the bug he discovered was applied for on September 11, 5 days after he was cited with the traffic ticket mentioned above-thus, the bug was certainly in place before a warrant was ever applied for. More interesting perhaps is that the date on the bug application is one month after the date on the following docket number. This seems to be further evidence that the bug warrant was obtained after the bug was found and slipped into the normal run of dockets by (rather amateurish, it would seem) falsifications of the docket number. It should be mentioned that altering a federal document is a felony. Mailing an altered federal document, as law enforcement did, in this case, in response to WK's allegations, is mail fraud. WK filed a complaint with the Governor's office-this however was never investigated. He filed a criminal complaint with Congress, the Treasury Department ("overseers" of the ATF), and other appropriate federal agencies. Congress referred him to the FBI Field Office in Tampa. This however turned out to be a dead end, as the FBI agent assigned to the case personally knew all the "defendants", and, as we all know, all cops stick together. In fact the FBI agent tried to interrogate WK. As it happens WK let him have it with both barrels, telling the agent that he was tampering with a witness for Congress, and could be incarcerated for his actions. At this point WK wrote a letter to Louis Freeh (director of the FBI) outlining the situation. Mr. Freeh's response? That the wiretaps were fully adjudicated and the defendants were dismissed; further investigation would not be in the public interest. Uh huh. WK next wrote a letter to Senator Grassley to file a complaint on Louis Freeh. This received no response. So basically he went as far as he could, and no one in government was the least bit interested in following up these allegations. WK estimates the extent of these activities as being 181 days of illegal wiretaps, on a bank, with no minimizing-think about that, law enforcement could listen in to find out your bank balance, and any financial transactions you might make, whether or not you were under investigation for this case. Thirty-eight cops were involved from US Customs, DEA, IRS, and the Sherriff's Departments of Hillsborough and Pinellas Counties, among other jurisdictions. Total cost of this "exercise in fascism" is estimated at $181,547. Corruption, including a cover up, mail fraud, and obstruction of justice seems to involve not only the law enforcement agents mentioned above but also the Florida State Attorney, Assistant State Attorneys, the Judge presiding over this case, and indeed probably goes all the way up to Louis Freeh. In closing, since the US Government was not willing to hold a trial in this matter, White Knight asks us to serve as a jury, trying the law enforcement agents, and Louis Freeh, based on the evidence he has presented. The audience finds all law enforcement involved guilty on all counts. Oh, and just an amusing afterthought-WK's traffic ticket was dismissed. * * * "They say patriotism is the last refuge to which a scoundrel clings" -- B. Dylan * * * Time for "Spot the Fed" again. This time someone actually finds an NSA spook. I'd never seen one before. He looks very much like Ron Howard, jeans, baseball cap, just your average guy. Though I know inside that head of his are some seriously psychotic thought processes. * * * Time for "Cult of the Dead Cow" and their launch of "Back Orifice", a hacking package which attacks Windows machines. Grand Master Ratte', resplendent in white sheepskin chaps, gun belt, and huge necklaces-a hacker-rapper?-gets the crowd to chant. "Dead". "Cow". "Rocks". "Ass". Hey at least it wakes up anyone who might be in a post-luncheon stupor... Back Orifice is a client server package-the idea being to turn the targeted machine into a server. The server code is only about 120k bytes in size, rather small for a Windows application. Currently the server will run on Windows 95 and Windows 98. (By the time of this writing it should be ported to Windows NT as well.) The client code runs on Windows, though there will soon be a UNIX version. Back Orifice can be installed using any one of a number of commonly known exploits that allow you to write to the targeted machine. Once installed, Back Orifice allows you basically to commandeer the resources of the targeted machine. One of the CDC members gives us a demo-"Look! We have a color QuickCam!" (on the victim machine). "Let's capture a frame off that QuickCam." And he proceeds to do so. "Now we'll capture an AVI..." Back Orifice also allows you to play sounds on the server-this I can see has great annoyance potential. You can also pop up arbitrary dialog boxes with text of your choice. The CDC is considering making these dialog boxes system modal so the user can't do anything until they click on them. You can look at all incoming and outgoing network connections... You can obtain a remote DOS shell through a TCP port. You can reboot or lock up the server. You can even write plug ins for Back Orifice to perform additional functions. The CDC calls these "Butt Plugs". This gets a chuckle out of the audience. Back Orifice installs itself as a service and starts up every time the machine is rebooted. The file name that it installs itself as is configurable; the port number it uses to communicate with clients is configurable, and the packets transferred between client and server are encrypted. The Cult tells us that it is even possible for multiple servers, installed by different people, to run on the same victim machine. At this point the audience asks some specific questions about installation-you can install Back Orifice by e-mailing it as an attachment, or exploiting a known buffer overflow bug. The Cult is currently writing "DirectExploit", a Windows based wizard that will assist with exploits. They are also engaged in writing a wrapper which will allow you to attach Back Orifice to an application. The wrapper will install B.O. while appearing only to run the app. More information on Back Orifice is available at www.cultdeadcow.com/tools. * * * At this point I've been at the Con for hours-I've had no breakfast and nothing to drink, so I head out for some food. "Capture the Flag" is still packed with people-I will learn later that one of the teams has commandeered the network's router so most of the other teams are just bouncing off of it! I pass a man in a "Rehab is for Quitters" tee shirt. I like that. On the way down the escalators I see Jennifer Grannick doing an interview with camera-toting media of some sort. I hit the Plaza Deli-which overpowers me with the smell of disinfectant. This isn't particularly appetizing so I head out to the street. I had forgotten that the Downtown casinos, in an effort to increase business, had put a roof over downtown, turning it into the "Fremont Street Experience". To me it is a travesty-it's like I've wondered into "Las Vegas Land" at DisneyWorld. It's a parody of the Vegas I've known for the last 20 years. You can't even cruise Fremont St. anymore-they've turned it into a pedestrian mall. Jesus. I look for likely places for lunch and finally decide on the Golden Gate (1 Fremont Street, est. 1906)-this strikes me as a good choice since I'm from San Francisco, though the "1906" reference worries me a bit. I take advantage of their 24 hour breakfast and have a couple fried eggs, while listening to a pair of Defcon attendees sitting next to me. The girl is telling the guy about her plans for college. She's decided on UC Berkeley, my alma mater. Go Bears! I finish up and pay with two two-dollar bills-the cashier doesn't seem to want them but one of the patrons at the counter does so we make a quick trade. I wander back out onto Fremont Street, passing a Coke kiosk (who the hell drinks soft drinks in Las Vegas?) and duck into Glitter Gulch, the old slot machine joint that was transformed, a few years back, into a topless bar. Now that's the kind of change I can embrace. There's no cover charge, but a two drink minimum, so I decide to come back later when I have more time. On my way back to the hotel I pass a cute babe whose job is to stand on th e street, in a skimpy cowgirl costume-complete with fishnet stockings, which of course historically provided cowgirls with very good protection against the sage and under brush-and distribute free tickets to the Red Skelton tribute show at the Plaza. I make a note never again to complain about my job. But a tribute to Red Skelton? I would much rather see "The Spice Girls Experience"- which actually is playing elsewhere in town! Only in Las Vegas... * * * Up at the conference someone has brought in stacks of "entertainment" magazines such as "Private Dancers" or "Las Vegas First Class-XXX Nude Dancers" (featuring former Clinton Girlfriends-yeah, I really wanna risk catching whatever STD's Clinton has...) These are heaped up near the as yet unmanned bar (dammit I want a drink!) Inside the merchandise room techno music plays, and a light show competes with a screening of AnnaLiza's "Unauthorized Access" hacker documentary from years ago. Members of the Dis.Org Crew are passing out free temporary tattoos of bar codes ("Scan me, baby!"). I take a few and ask the blonde behind the table how they work. She helps me put one on the back of my left hand, soaking it in water then sliding it off the backing and putting it carefully in place-but it won't stay, I have too much hair. Shoot. A couple on the floor-a pretty young girl and a rather overweight young guy-tell me that they're getting married. Would I be interested in contributing $ for their wedding? Not being one to stand in the way of young love I toss a quarter into their collection bucket. I notice a girl whom I will refer to, mentally, as "S&M Chick", for the rest of the weekend. She is browsing one of the hacker book tables. She wears a black vinyl corset over a lacy black see-through shirt, black micro mini, multi-colored hose that appear to depict magazine or newspaper articles, black "Spice Girl Shoes", and a black slave collar with ring. Pale makeup with heavy dark mascara and blood colored lipstick, and multi-colored black, teal, and orange hair, in pigtails, complete the ensemble. Definitely attention-catching. * * * Back in the lecture hall, Paul Kocher tells us of his (successful) efforts to break DES, the government's Data Encryption Standard and one of the most widely used encryption mechanisms for the past 20 years. The basic technique is to reject enough obviously bad keys that the machine can undertake a "reduced" brute force attack on the rest. The machine, built at Cryptography Research in San Francisco, and sponsored by the Electronic Frontier Foundation, was named "Deep Crack" (an homage to the computer "Deep Thought" in "The Hitchhiker's Guide to the Galaxy", which in turn appears to have been named after the X-rated movie classic, "Deep Throat". End of Genealogy Lesson.) "Deep Crack" consists of approximately 18,000 ASICs, Application Specific Integrated Circuits, each expressly built for the purpose of cracking DES, and cost, in total, about $250,000. It supports, or rather breaks, the various flavors of DES, such as Cipher Block Chaining, Cipher Feedback Mode, and Output Feedback Mode. Breaking DES enabled them to claim a $10,000 reward from RSA Data Security. But why spend $250,000 to win $10,000? They did it for a number of reasons: * to validate academic claims that DES could be broken * to point out that short key lengths are not secure. A 40 bit key space, which is what the government wants exporters and foreigners to use, can be broken by "Deep Crack" in 6 seconds. * to refute government claims regarding the "security" of DES * to provide information to users of DES * and most importantly, perhaps-to demonstrate what attackers already know. When he opens the floor to questions, an audience member says "Congratulations and thank you-you have done something wonderful." The room breaks into applause. Paul tells us, in response to other questions, that he has found no obvious back door in DES, that there has been no statement from the NSA (surprise) and that "Deep Crack" cannot be used to attack Triple DES. In fact he estimates that it would take 72 quadrillion of these machines to break T-DES. For this reason he heartily recommends it. Additional information on this effort can be found at www.cryptography.com. * * * At this point it's after 6 so I go outside. The floor in the entranceway is carpeted with ads for nude dancers, burnt out cigarettes, empty cups and bottles. It's a good thing I'm wearing heavy boots as I can hear all this crunching underfoot. I run into "Dead Addict" whom I first met in 1994. He seems to be doing well, working for one mainstream firm or another-I forget which. I ask after Peter Shipley, a mutual acquaintance, but he hasn't seen Pete. I take my leave and circle the tables in the merchandise room once more, then go downstairs and head out, over to the Topless Girls of Glitter Gulch. I watch dancers with outrageously huge (and outrageously fake) breasts writhe on metal poles, pretending to find sexual gratification from this. My Defcon notes glow in the black light. I notice some other conference attendees and go chat to "PJ", an employee of one of the Big 7 (Big 6? At this point who can remember...) accounting firms. He is enjoying the conference, and even more so the dancing. He seems awfully mainstream, he could almost be mistaken for a fed. After awhile I decide I better get back to my hotel so I grab a cab and go back to Treasure Island-listening the whole time to my cabbie's story of his divorce and his crazy ex-wife. He should be paying me, I think! * * * The night is lost with memories of cruising the strip for good Italian food- chianti-vodka-and some kind of ungodly pink slushee drink they serve in the bars at Treasure Island, in a skull shaped mug which you can keep, if you can down the concoction. Seems to me it would have been easier just to buy the mug! * * * August 2. I return to the Plaza for Round 2. A list of machines and logins is posted over the door of the auditorium, courtesy of one of the many hacking groups present. Or perhaps its a set-up by one of the many TLAs present? Inside, D'arc Tangent tells us that someone was interfering with the hotel's security frequency yesterday. He got a little visit from the Plaza's goon squad. He tells us, "if they catch you, you're going to jail." The prevailing sentiment in the room is, "Why? The Plaza doesn't own the frequency." * * * Dan Veeneman speaks to the hungover crowd (apparently I missed quite a party last night) about Low Earth Orbit satellite communications. He wears a "Practical UNIX Terrorism" tee shirt that looks like an O'Reilley book cover except that instead of an animal it has a picture of the Unabomber on the cover. Dan outlines the various orbital bands above the earth-at 19,300 nautical miles is the geostationary orbit. This contains satellites belonging to Inmarsat (for marine navigation), American Mobile Satellite Corporation, TMI, a Canadian firm, and Optus, an Australian firm. At 12,000 nautical miles is the outer Van Allen Radiation Belt, along with some military satellites, and also the ICO satellites. At 8,000 nautical miles is the Medium Earth Orbit or MEO band. At 3700 nautical miles the Inner Van Allen Radiation Belt. At 1100 nautical miles the Low Earth Orbit or LEO band, which includes the Iridium, Globalstar, and Orbcomm satellite systems, among others. And at 200 nautical miles, the atmosphere. The Van Allen radiation belts are pretty hard on satellites-as is the atmosphere-but Dan tells us there are plans to have satellite-like devices in the atmosphere! * * * "Satellites are not bandwidth-limited, rather they are power-limited" -- D. Veeneman * * * On to LEOs. Dan first covers "Big LEOs", each of which consists of a constellation of satellites that will provide voice services in frequencies above 1 GHz. These are essentially extensions to terrestrial cell service. Motorola's Iridium System will have over 66 satellites traveling in 11 planes at 421 nautical miles altitude. Unlike other systems, Iridium's satellites will do on-board processing-they intend to make heavy use of inter-satellite links. Currently Iridium has 72 satellites in orbit, but 7 of these have failed in some way. Iridium will operate in the 1600 MHz frequency range. Globalsat, a competing "Big LEO", has been dogged by power concerns due to their small battery size. Apparently power management is one of the primary problems aboard spacecraft. Many industry observers believe that the Globalsat satellites are underpowered and will not be able to support all their customers-that is if they are successful enough to have a lot of customers. However as an ace in the hole Globalsat uses a mechanism called "Diversity Combining" which enables up to 4 satellites to send the same signal to a receiving cell phone, using CDMA, in order to provide sufficient power. Ellipsat, a third competing system, actually has obtained a patent on their orbiting scheme. They use elliptical orbits with the apogee (the point at which the satellite is furthest from Earth) over the Northern Hemisphere-which includes most of the Earth's land masses, and thus most of Ellipsat's customers. Their satellites spend much more time on the apogee portion of their orbits so are in "usable" locations for much longer-which means that fewer total satellites are required. The orbit's perigee is over the Southern Hemisphere. Ellipsat proposes to put its satellites into quiescent mode during the relatively brief time that they are in perigee so that they may recharge their batteries. The fourth competing system isn't really a "Big LEO" at all, but rather a MEO. ICO, a spin-off of Inmarsat, has 10 satellites with 2 spares and uses basic TDMA for transmission. The small number of satellites is made possible by ICO's higher altitude. * * * Dan now tells us about "Little LEOs". "Little LEOs" differ from "Big LEOs" in that they are used only for data transmission in the VHF and UHF frequency ranges. Some of the current Little LEOs are Orbcomm, E-Sat, Final Analysis, LEO One USA, and Volunteers in Technical Assistance. These five companies are currently sharing a common frequency range. It is unclear how this will be resolved if these services become popular in the future. To further complicate things, the same general frequency range is shared by satellites from the DOD, the National Oceanic and Atmospheric Administration (NOAA, which performs weather tracking and forecasting), and a French LEO system. Orbcomm, a typical Little LEO, will consist of a constellation of 28 satellites, which will be enhanced, we are told, to a total of 48 by 1999. There will be six orbital planes of eight satellites each. The satellites are essentially orbiting packet routers, each of which weighs about 100 pounds and, in Dan's words, looks like a "big movie film cannister". They use X.400 addressing to send "Global Grams". When the satellite can see an earth station it will relay these packets; if it cannot see an earth station it will store data and forward it later. It is possible, Dan tells us, to monitor Little LEOs. All you need is a receiver in the 137-138 MHz frequency range with a 25-50 kHz bandwidth. The "rubber ducky" antenna works well. You will also need orbital predictor software to help you determine where the satellite is, as well as "Two-Line Elements" (TLEs-unfortunately I have not a clue what these are, and Dan never tells us) to feed into this software. A better antenna is the M2 EB-144 "Eggbeater". This gives good performance without having to track the satellite quite so closely, and it runs only $150. * * * LEOs typically use Direct Sequence Spread Spectrum. Unlike narrowband broadcasting which is used by most normal RF communications, DSSS broadcasts a much less powerful, much more spread out signal. In fact DSSS power is so low that the signal normally sits below the noise floor, so if you didn't know a signal was there, you probably wouldn't notice it. A side effect of this is that satellites can conceivably be used as a covert relay channel by anyone who happens to know where they are. It is unlikely that the additional traffic would be noticed as anything other than an increase of the noise floor by a slight fraction of a dB! * * * Dan opens the floor for questions. The crowd is beginning to wake up and so they ask about May's nationwide pager failure. Dan answers that although a backup satellite was available, technicians had to manually re-point all the paging towers at the backup. (Now there's a classic case of bad system design.) Someone else asks about satellite failures, and Dan tells us that the best source for information on outages is Securities and Exchange Commission reports. He tells us, "You can lie to the FCC, but you can't lie to the SEC." There is a question about Y2K. But as Dan says, "The problem with Y2K is that you can't really say anything without your lawyer wanting to kill you." * * * I go out to walk the merchandise room while awaiting the next talk, by Peter Shipley. I really wanted to get some of the books in there, so I pick up a book on acquiring a new identity, and another called "Just Say 'NO' to Drug Tests". I don't do drugs, but I think the un-Constitutionality of drug tests, in almost every circumstance, is fairly apparent to the meanest of intelligences. Well maybe not to the meanest of intelligences, as these seem to belong to our current supreme court (in)justices. Defcon is, among other things, a great gathering place for people with Libertarian ideals, which is 1. Why I feel at home here, and 2. Why I can find great books to buy here! * * * Outside in the corridor someone shows up with tee shirts I just have to have. He is still taking them out of the bag as I fork over $20 and snag one-a black shirt with the "Intel Inside" logo superimposed over an inverted pentagram and the legend "Intel i80666 Pentagram Processor-Runs Hotter than Hell". On the reverse is a picture of Bill Gates with Devil's horns on his head, and the legend "Bill says, 'Buy It!'" * * * Back into the lecture hall, which is now overflowing with people waiting to hear Peter. I can't find a place to sit so I go up to the front and sit on the floor. Peter is standing to one side, looking his usual eccentric self, with long flowing hair, billowy goth shirt, and a pair of goth fangs in his mouth. He steps up to speak when a box of FreeBSD CD-ROMs is delivered, and he starts asking trivia questions of the audience and tossing the CD's out to them. He is trying to promote the use of FreeBSD, and also trying to promote the audience's literacy by asking questions about Dante's Inferno. My fave-"Which circle of Hell does Bill Gates belong in, and why?" One audience member answers "the 9th circle, for betrayal to benefactors, where Judas lives." This is greeted with applause and laughter. * * * Peter is here to tell us about the results of a 2 year long war-dialing study he undertook in the San Francisco Bay Area (specifically LATA 1 of Pacific Bell, including area codes 408, 415, 510, 650, 707, and 925.) He tells us he doesn't know why we're all here, as he is just going to tell us everything we already know. He notes carefully though that there are no state or federal laws against war-dialing. It's covered by a local ordinance, and you're allowed one phone call to a number-which is all he needed. There are few published references on security problems with modem access, and Peter's basic conclusion is that things are worse than he expected-Internet and modem connectivity, as implemented in the real world, are equally insecure, and system administrators do not seem to care! Peter has scanned 402 exchanges so far (an exchange is capable of supporting approximately 10,000 telephone numbers). His statistics show the following distribution: Carrier 1.01% Busy 18.4% Ring no answer 44.2% Answers 36.3% (Peter notes that the 1.01% carrier argues against Pacific Bell's plan to raise rates based on usage of the telephone infrastructure for Internet access...) A majority of the dialups found greet users with a welcome message-this is a very bad thing from a legal standpoint. It's very hard to prove trespassing on a computer system if you "welcome" the "intruder". In fact, less than 2% of systems warn away possible intruders. Additionally, a majority of dialups overly identify themselves, with such information as the organization they belong to, or the OS version they are running (very helpful to hackers.) Peter saw about 94 modems per exchange, with the highest percentage of modems in an exchange being 6.1%. Of the modems found: 2% have a warning in their banners 1% show the Internet Domain Name 2% were Shiva LAN Rovers 3% were Annex Terminal Servers .4% were Ascend .2% were PBXs - this was the console port of the PBXs, you MUST protect this, preferably with two-line dial back, key authentication, etc. .4% were voice mail Peter tells us that 2% of the Shiva LAN Rovers have no root password. 3% of Ascends answered with an "ascend% " prompt. Many of the CISCOs encountered answered with a command prompt; about 25% of these were in "enable" mode. The baud rates encountered varied, but there were a lot of 1200 bps connections-these are "juicy" as they're generally connections to building environmental controls, voice mail, and other important systems. Peter gives props to my alma mater. While UC Berkeley had the most modems per exchange, these were also the most secure dialups! Among all the different devices he discovered, Peter lists: Firewall Router Consoles Environmental Controls Terminal Servers UNIX Shells (he reminds us to make sure our modems drop carrier...) DOS shells T-1 Multiplexors Oakland Fire Dispatch (he turned this in to the FBI) Cody's book ordering database A Dr. S- in Berkeley whose patients' records were publicly available (unintentionally, one assumes) On average Peter discovered a wide open system 4 times a week. He also notes that 75% of dialups are vulnerable to some form of a hack. This seems to agree with Dan Farmer's data on Internet connectivity and security problems. So, how to defend your dialups? Build and install an intranet firewall to segregate your modem bank subnet from the rest of your network. Write a security plan. Audit your firewall. These are all basic steps that too many of us forget or put off in the daily rush of business. * * * Peter opens the floor to questions. Someone asks why the telephone company, in this case Pacific Bell, didn't notice. He doesn't know-he was even on the cover of the San Jose Mercury News. Another questioner asks what happened when the phone company contacted him for hitting trapped lines. He says this never happened to him. In closing he tells us he's about 75% done with the local exchange, and he'll probably finish it, then quit. * * * As Peter leaves I follow him to talk for awhile-he gives me a bottle of Dis.Org Ale (IPA spoof spice ale) which is pretty cool-the label features a picture of the entire Dis crew taken at what looks like Burning Man, along with the warning "1) Consumption of alcoholic beverages may inhibit celibacy 2) Consumption of alcohol may impair the ability to examine a system undetected and build functional back doors". It is far too cool to drink so I save it as a souvenir (besides, I'd rather have a vodka and tonic...) * * * The next speaker, Se7en, is so far a no-show. Too bad 'cause I was looking forward to the talk on hacking the travel industry... Instead I wander into the other room, where Johnny Zen is up on the stage asking trivia questions of the audience and giving out "unusual" door prizes-mostly outdated computer equipment. I walk to the front and sit on the floor, as I'm kind of used to the floor by now, and watch for awhile... "What is the start up sequence for a VAX?" "What kind of computer do you have to heat up before you can use it?" (An IBM 1621-a very old computer with genuine magnetic core memory.) Johnny decides to embarrass me and "fingers" me as a screenwriter for the "Spot the Screenwriter" Contest. Why he thinks I look like a screenwriter is beyond me, except maybe that I'm twice as old as the average audience member... I'm wearing blue jeans, black suede boots, black silk shirt, and a grey tweed blazer-are these the clothes of a screenwriter? Perhaps. Johnny asks the audience to vote, but they seem kind of indecisive, so he fesses up that he knows where I work, and I admit to working for an RBOC, which gets kind of a mixed reaction from the crowd. He gives me a 2400 bps fax modem for being a good sport-just what I need! I go back to sit down and admire the "Big Brother Inside" sticker on someone's laptop-Johnny continues the trivia questions and I come up with my own, which I scribble on paper and give to him: "What year was the first digital switch deployed in the Bell System, and what kind of switch was it?" (Answers: 1976, No. 4 ESS) A bearded fellow-geek seated next to me decides to ask the full name of the inventor of the first mechanical switch; even I don't know this. (It's "Almon Strowger", for the curious...) * * * I wander outside and sit down in one chair, propping my feet in another, to write, and to watch the crowd. Someone brings in a free case of Jolt and plunks it down on the table right near me-I grab one in the general feeding frenzy-the case doesn't last more than a minute. So I lean back and watch the hackers come and go, and up my caffeine level...While Peter gives a filmed interview to 2600 I chat with "Judy"-a more mature hacker, who says she's been around from the beginning. She directs me to the "root shell" web site, with the warning that after a hack shows up on "root shell" you can expect attempts to be made with the new hack in two to three days... Sabrina from the Georgetown School of Public Policy comes over with a survey on international aspects of hacking-it asks questions such as "has an agent of a foreign government ever asked you to hack into a computer system?" "Judy" lays into her about the construction of the survey, while I can't help but wonder which TLA is interested in the results... * * * Out in front of the casino I see S&M chick. I tell her she should get an award for best outfit of the weekend. She asks me if I was there when phon-E (a young hacker I remember chiefly because of the design of an atom, in red, dyed into the back of his very black hair) was arrested. I say "No! Too bad." Days later we will find out that the FBI pulled him in for possession of a Herf gun-a magnetic "weapon" capable of frying most electromagnetic devices-and possession of which is, as far as I know, not against the law. Indeed, phon-E is only held for a day or two, on God only knows what charges (if any), and then released. * * * My last memory is of Isabel, a beautiful redhead with short curly hair, shaven across the back of her head, blue eyes, ivory silk shirt unbuttoned just enough to be sexy, beige plaid pleated "Catholic School Girl" skirt, beautiful legs, cute khaki ankle socks, high heels, and a very high-tech low power ham radio system for communications within the hotel-she has an earphone in one ear and a microphone attached to the collar of her shirt. I don't remember, from my own youth, any geek-ettes even remotely this gorgeous. But she's gorgeous and intelligent-I will tell a friend later that she reminded me of the ZZ Top song "Legs", or more accurately, my own paraphrase of that song-"She's got brains.... She knows how to use them...." This is true of most of the crowd I think. They are way over the national average in terms of intelligence, even if it is mostly directed toward technology. Perhaps that's appropriate-we live in a very technical world now. So why is government concerned about these people? All that brain power and youthful energy-who knows what they could do? Entire Contents copyright 1998 T. J. Barrett, all rights reserved