What: DEFCON 11
When: August 1--3, 2003
Where: Las Vegas, Nevada
Why: For the hack of it...
Imagine a conference where half of the attendees are trying to prevent the other half from hacking their networks. That's essentially the situation at the hackers convention known as Defcon. It's dirt-cheap by conference standards (only $75) and it's billed as something of a computing counter-culture event. The conference follows immediately on the heels of Black Hat which is probably the premier security conference of the year.
Black Hat is priced like a normal conference and, I'm told, it draws a more-or-less normal conference crowd (i.e., security professionals). Defcon, on the other hand, attracts an odd mix of hacker wannabes (mostly kids) along with a significant number of security professionals. Many of the security professionals attend both Black Hat and Defcon. In addition, several of the talks at Defcon (many of the best talks) were also presented at Black Hat, which makes Defcon even more of a bargain.
A couple years ago I spoke with a government security person who had attended both Black Hat and Defcon. His comment was something like, "Black Hat was a little bit strange, but Defcon is filled with 16 year-olds who have way too much time on their hands." That might be a slight exaggeration, but not much.
At Defcon 11 there was a definite surplus of black clothing and pierced body parts. There were also some kids who fit the nerdy stereotype, but they were far outnumbered by the anarchists.
Registration was on-sight only, cash only, and no names were taken. The conference was very loosely organized. The talks consisted of three parallel sessions, each seating perhaps 500. The number of attendees was at least twice the number of available seats and there was no "standing room" due to fire code restrictions. As a result, after each talk the room was cleared and those who had lined up were then allowed in. This made it difficult to see two consecutive talks. The talks were all 1 hour, with talks scheduled from 11:00am to 8:00pm, except Sunday, when the last talk was at 3:00pm and an awards ceremony at 4:00. Lining up for talks was unpleasant since the lines were outside in the hot desert sun. Surprisingly, I didn't observe any heat strokes among the black clothing crowd.
The conference was held at the Alexis Park Hotel, which is about a mile off of the Las Vegas Strip. Alexis Park is one of the few non-gambling hotels in Las Vegas, and that worked well given the large number of under-aged attendees. The hotel generously sold slices of pizza for $5 each and snacks at even more absurd prices. They also sold alcohol and there was a lot of drinking, though I didn't see anyone getting really obnoxious or blowing chunks. I suspect the price of the drinks helped reduce such problems.
The presentations were, in my opinion, mediocre on average. Fortunately, the variance was high, and the better talks were really good. On the other hand, the worst of these talks were as bad as they come. And the 1 hour per talk schedule made the bad talks seem even worse.
An interesting quirk of Defcon is that nobody introduces speakers. This might not sound like a big deal, but it often wasn't clear where the pre-talk banter ended and the actual talk began. And in some cases, the pre-talk banter took up a large chunk of the speaker's time.
The talks are only part of the show at Defcon. They also had a number of events, including "Spot the Fed", a scavenger hunt, a "war driving" contest (drive around and map 802.11 network access points), hacker jeopardy, a lock picking contest, and "capture the flag" (a hacking contest), among others. I'll have a little more to say about some of these below. Here, I'll just mention a few of the better items on the scavenger hunt. Some of these required evidence, such as a photo or video.
Here's my diary of events.
------------------------- Thursday -----------------------------
6:00am: Loaded my bicycle onto my car and departed Cupertino for the drive to Las Vegas.
4:00pm: Arrived at the Frontier Hotel on the Las Vegas Strip. They advertise themselves as the only hotel on the strip with bingo. I don't expect to find many Defcon'ers here.
8:00pm: I survived my bicycle ride to the Alexis Park Hotel and back. Las Vegas is about the most bicycle-unfriendly place I've ever seen. At least I'm registered and ready for tomorrow.
-------------------------- Friday ------------------------------
7:00am: I'm an early person, so an 11:00am starting time is going to take some getting used to. At least I've got plenty of time to consume a monster breakfast.
10:00am: Arrived at Defcon as the exhibition center just opened. There was not much for exhibits. For example, one "vendor" was selling military surplus electronics junk. There were several T-shirt vendors (all T-shirts were black, of course) and an official "DEFCON Swag" table. Some of the better non R-rated shirt and/or bumper sticker slogans included the following.
11:00am: A conversation with Phil Zimmermann
Phil Zimmermann invented PGP ("Pretty Good Privacy"), a strong cryptographic package, and distributed it online, beginning in the early 90's. At that time, cryptography was treated as a munition and there were, of course, restrictions on exporting munitions. So PGP was subject to "export control" by the US government, but Zimmermann had ignored these controls by distributing PGP online. So the government filed a suit against Zimmermann. In the mid 90's the governement dropped its case against PGP, but not before it had made Phil Zimmermann into a folk hero with a lot of people---particularly with the type of people who attend Defcon.
As with too many of the speakers at Defcon, this speaker had no talk to give. Instead, he talked off the cuff for a few minutes then relied on questions from the audience. Fortunately, he had some experience in such a format and he didn't have to go far before arousing some audience participation.
Zimmermann mentioned that the most frequently asked question is, "Is there are back door in PGP?" And he said, "No, of course there's not a back door in PGP". This lead to an attack question/comment from the audience which got the speaker obviously agitated. He said, "There's no backdoor in PGP. Get a life! The people who ask this kind of question are the people who believe that the X-files is a documentary." And he didn't let it drop there. He added, "The sort of people who were really paranoid about the Trilateral Commission seem to be attracted to cryptography." Of course, as a former NSA'er I could appreciate his position, since nothing he could say could possibly reassure the people asking the questions.
The audience wasn't going to let this drop either. Someone asked how he could be sure some developer had not inserted a backdoor. His unreassuring response was, "All of the developers have the same views as me." Of course, this was not sufficient and someone asked how often he personally reviewed the code. This went back and forth for a while, but didn't go anywhere. He did admit that there had been "embarrassing bugs" in PGP but didn't bend on even the theoretical possibility of a backdoor.
Eventually, he moved on to talk about the history of PGP and the government case against him. He pointed out that in 1991, businesses viewed the security threat as coming from other businesses. At that time, and for that particular threat model, DES with a 56-bit key was more than sufficient. Zimmermann, however, was interested in human rights, where the threat comes from governments. Under this threat model, he did not believe that 56-bit DES was sufficient. As an aside, he claimed that in the post Cold War period, governments agencies became involved in economic espionage and hence the threat model of business and human rights tended to converge.
Zimmermann said that because his interest was human rights, he viewed crypto as a matter of life and death. That's why he developed PGP with the strongest crypto available. He mentioned that Brian Snow of NSA once told him that he admired Zimmermann's approach to cryptography, since NSA also takes a "life and death" approach when designing cryptography.
Zimmeramnn then outlined the government's case against him. In 1991 he had made PGP available online. He subsequently helped some overseas developers implement it. This latter issue was apparently considered much more egregious since he was actively involved as opposed to just passively making information available.
His legal defense strategy was very interesting. At his lawyers suggestion, Zimmermann wrote a book containing the PGP source code and got it published by MIT Press. He applied for permission to export the book, which was granted immediately since there were no export controls on books. He then asked for permission to export the book with a disk that contained the PGP source code. At that point the government realized they'd been had and their case slowly unraveled. In the interim, he wrote a book with a version of the source code that was designed to be easy to scan (with checksums and such) so that once the book was exported it could instantly be converted into electronic form. All of this silliness eventually led to the downfall of export controls.
Zimmermann suggested a test to determine whether NSA can break PGP. First, hire a comedian to write a very funny joke. Then encrypt the joke with PGP and convince NSA that this is important traffic that they need to break. Then wait a few years and see if the joke appears.
He concluded with a nice story. He said that someone called him claiming to have invented a great "new" idea, that of hiding data in a picture. And, best of all, he had developed a standard for doing so. Of course, hiding information, known as steganography, is not new. The weakness of stegonography today is that if someone knows the hiding method, they can easily remove (or at least mangle) the hidden information. So Zimmermann said that the idea of a standard for steganography is "like every piece of Samsonite luggage having a special compartment for smuggling cocaine."
There was no technical content to this talk, but it was fun and interesting. Having heard so much about Defcon, I was a little disappointed that there was no major disruption.
1:00pm: At risk! Privacy --- Leonard Kleinrock and Sally Richards
Leonard Kleinrock published some of the earliest work on packet switching. Consequently, he's generally considered as one of the inventors of the Internet. Kleinrock wasn't physically present---instead he was available via video link from UCLA. There were plenty of technical difficulties, but that was the least of the problems with this talk.
Sally Richards is a journalist and a certifiable dingbat. She spoke first and she rambled on about nothing in particular for a 10 minutes or so. Then Kleinrock talked for about 10 minutes, apparently with the intention of contrasting his original view of the Internet with the actual Internet of today. It seemed to me that he had absolutely nothing to say other than that the government needs to pass a bunch of laws because things didn't turn out quite the way he'd hoped. I always find it amusing when the radical libertarian/anarchists call for more government.
After Kleinrock's cameo, Sally (a self-described "nonlinear thinker") took over. Whatever potential there had been to salvage something useful from this talk immediately evaporated. After what seemed like an eternity or two (remember, all Defcon talks---good, bad or horrible---are 1 hour) the floor was opened for questions. There were a few good questions but, unfortunately, no good answers were forthcoming.
One questioner questioned whether Kleinrock regretted testifying before congress against peer-to-peer file sharing networks. His answer, "I think stealing is wrong" probably didn't endear him to the audience. Another person asked Kleinrock whether it might not be better to rely on technical means instead of government regulation in order to achieve the changes he sought. Kleinrock stated that he only wanted "government action to prevent illegal activities." This begs the question, if it's already illegal, why would you need more laws?
Sally then got on some wacky tirade filled with lots of preaching, no substance and much misinformation. Apparently she is very worried that the Internet will be nationalized, as if that were possible. And she adamantly insisted (she was adamant about everything) that in the near future people are going to be willing to pay for privacy. Anyone who has spent time in the security business would have to laugh at that comment. Then she opined that "free press doesn't exist anymore, but blogs will take care of that". And she said, "I'm not advocating vandalizing websites, but..." in a tone that made it clear that she was, in fact, advocating vandalizing websites (presumably, of anyone she didn't agree with politically). Interestingly, this was the only point in the entire conference where I heard a speaker advocate an illegal activity.
A final nutty questioner commented that "The only solution to all of this is to make sure that everyone has their own weapon of mass destruction" to which Sally replied with the non sequitur, "I think the answer to that is impeachment." Mercifully, the talk ended at that point.
I've been to many conferences and I've seen many bad talks. This talk gets my vote as both the worst and most pointless talk I've ever seen.
2:00pm: Mimicry --- Mystic
Before this talk, a member of the Defcon staff initiated a round of "Spot the Fed". The initiator was very funny, but most of jokes were R-rated---or worse. Before beginning "Spot the Fed", he asked everyone how they were doing. Then he said "We want this to be the second happiest place on earth. The happiest place is the Chicken Ranch" (a legal brothel near Las Vegas).
In the "Spot the Fed" session, a suspected Fed was coerced onto stage with the promise of a "I'm the Fed" T-shirt. He was then asked questions like "do you have a security clearance?" and "is your clearance above SECRET?", etc. There were also many R-rated humorous comments. It was finally determined that the potential Fed was in fact a civilian NSA employee. Spot the Fed was extremely humor---one of my favorite parts of the conference---but you really had to be there.
By the time Mystic got to start his talk, he only had 40 minutes left. By the way, this speaker used his "handle", Mystic, instead of a real name. Presumably, this is for anonymity. Most speakers didn't take this very seriously and often revealed both their handle and their actual name. It seems that having a handle is more of a fashion statement than a security issue.
Mystic's talk dealt with a slight twist on steganography. He had developed a system to make encrypted data look like normal text, thus avoiding automated tools that might filter out random data (encrypted data looks random, while plaintext data is very structured). He presented an example where he encrypted the sentence "This is a test" and then processed the ciphertext to produce a long paragraph about baseball. The tool simply used the encrypted bits as a key for selecting snippets of text, while following rules so that the resulting text was somewhat sensible. The process could be reversed by the receiver so that he could reconstruct the encrypted text from which he could recover the plaintext.
3:00pm: Luna Correspondence Protocol --- Chung's Donut Shop
This talk was about a "revolutionary" approach for sending untraceable data across the Internet. Suppose A wants to send a message to B. Then A creates a bunch of ICMP packets (think of a "ping") with the source address changed to B. These packets are shuffled and sent to various locations. If C receives one of these packets from A, he returns it to its "source" which appears to be B. Thus, A has gotten his data through the network to B by using a bunch of intermediaries who have no idea they are a part of the communication process.
This is not exactly revolutionary, but it is interesting. Unfortunately, the speakers did not have a very firm grasp of cryptographic fundamentals or of elementary mathematics. For example, they made a big lunch of the fact that the number of permutations (i.e., N!) grows really fast.
It was claimed in this talk and in other Defcon talks that given enough time, any crypto can be broken. In contrast, I recently heard Shamir (of RSA fame) state unequivocally that AES with a 256-bit key would be secure forever---regardless of any foreseeable advance in computing. You'll have to decide who is more credible.
4:00pm: Annonymous remailer panel
Remailers are services that forward email, making it difficult to trace the source. Such systems enable anonymous email. The panelists were people who run anonymous remailer services.
The first question was about spam, and they all claimed that spam is not a problem, since spammers would stand out from everyone else, compromising their anonymity.
There was a lot of discussion about legal issues (having been visited by the Feds seemed to be a badge of honor). The technical upshot appeared to be that if you are really really paranoid, you should run your own remailer, since that is the only way to be certain that things are being done correctly (e.g., no logs are kept). But there is also a need for a certain amount of traffic through any remailer, so that users can remain anonymous. Consequently, they don't want too many people to start running their own remailer. How many is too many? They said that today there are only about 30 remailers worldwide and that current traffic could only support at most 50. Interestingly, at least 20 people who run remailers (out of a worldwide supply of 30) were in the audience.
5:00pm: I left Defcon early since I was tired of fighting the crowds. After some good spicy Indian food I biked to the New York, New York casino and promptly lost $5 (I'm a high roller). I then found a great pinball machine in their arcade, which I played for hours for just $2---one of the best bargains in all of Las Vegas. Then I biked back to my hotel, admiring the incredible fountains at the Bellagio on the way.
------------------------- Saturday -----------------------------
11:00am: Putting the T back in cyberterrorism --- Sensepost
According to this speaker, the problem with most network attacks is that they "don't hurt enough". A successful attack
The speaker then discussed methods to get a worm into a system. He conducted an experiment at a bank in South Africa. He sent 13 people an email with a link to a "new screen saver". When the link was clicked, it would make a secure connection (thus avoiding a firewall that was trying to filter exe's) and download an exe file. In the experiment the exe didn't do much, but in a real attack, it would have carried a worm. Of the 13 people who received the email, 8 downloaded the exe and 5 executed it.
The speaker then went on to present a very interesting example
of how to "footprint" an entire country, using nothing
more than Google and a few scripts. For example, the results of
a search for
+@company.com -www.company.com
can be fed into a script that scrapes off the email addresses.
He was able to
gather a huge collection of email addresses for
various sectors such as telecommunications,
energy, financial, prominent businesses, emergency services,
transportation, and the press. In each of these he
was also able to map out departments and sub-departments
with a significant number of email addresses in nearly
every sub-sub-department.
The ease with which this was all accomplished was astonishing. In fact he demonstrated a GUI tool that he's developed so that anyone can easily do the same. It was all quite impressive.
He discussed possible security measures but concluded that user education is the only one likely to be at all effective. Personally, I'm dubious that this could ever succeed to the level required.
The speaker's conclusion to his excellent talk was the statement that "a focused cyber attack is possible". This was certainly well-supported by his demo. This talk, combined with a later talk on worms (Network worms: What is possible?) together paint a bleak picture of the security implications of a well-conceived cyber attack.
12:00 noon: The UPS (Undetectable Packet Sniffer) --- Spyde~1, AutoNiN and Mystic
These guys built a device that looks like a power supply, but is actually a packet sniffer. It would have to be physically present on a network ("dead dropped" in their words) in order to be connected to the network. From what I could gather, it didn't seem all that clever and it didn't work when they tried to give a demo. The net result was a short talk.
1:00pm: Opensource Kernel Auditing and Exploitation --- Silvio Cesare
I was interested in this talk more because of the speaker than the content. I'd previously conversed with the speaker (via email) when I was trying to organize a conference session on digital rights management (DRM). He had posted some interesting comments regarding possible attacks on proposed DRM system and so I invited him to give a talk. Ultimately, he couldn't make it, but he definitely had a clue so I wanted to hear him speak. I was amazed to see that he was so young (about 20 I'd guess). After his talk, it was nice to get a chance to speak with him briefly in person.
The speaker analyzed the source code of opensource kernels for Linux and a couple of flavors of Unix. He spent about 3 months part-time manually auditing the code and he found more than 100 bugs and he claimed that nearly all were exploitable. He commented that a lot of people seem to think that kernel code is somehow special (designed and written by supercoders and security gurus) and therefore less likely to have bugs. He emphatically demonstrated that this is not the case.
Most of the bugs he showed were of the "input validation" variety. For example, if a string x is input, it should be verified that the length of x is less than the length of a buffer before copying x into the buffer. There are some subtle errors that can be made if, say, the validation check uses a seemingly-equivalent---but different---expression than, say, the buffer allocation code.
Other interesting things can appear in source code. For example, comments often contain words like "hack", effectively pointing an attacker toward suspect code.
The speaker's advice was to compile the smallest kernel that will work for you, since bugs were much less common in the core kernel. He also made the interesting observation that it seems to him that bugs show signs of "propagation and clustering", though he had no evidence to back this up.
He also commented that this work has implications with respect DRM or "trusted computing", since a "trusted" kernel is not the same thing as a bug-free kernel.
3:00pm: Embedded reverse engineering: cracking mobile binaries --- Seth Fogie
The speaker views reverse engineering as "a tool, not a weapon". The talk began with a nice quick overview of assembly language on the ARM processor. He then showed how to disassemble a toy program he'd written and then debug the code to find the crucial instructions for entering a serial number. He was able to then directly modify the binary to bypass the serial number check. He accomplished this in three different ways. It was quite a nice talk and a very good demo.
5:00pm: Why anomaly based intrusion detection systems are a hackers best friend --- Icer
A signature-based intrusion detection system (IDS) looks of signatures or patterns of known attacks. This is much like a virus scanner that searches for known viruses. Such a system is very effective against known attacks. But is there any defense against unknown attacks? Recently there has been much work on anomaly-based IDS, with the goal of identifying abnormal system behavior in order to detect an unknown attack.
The speaker began by setting up a false dichotomy---either you use a signature-based system or you use an anomaly-based system. Since anomaly based-systems are designed to be used with (not in place of) signature-based system, it was no surprise to learn that an anomaly-based system can be defeated by many standard attacks. The speaker finally got around to mentioning the obvious, namely, that both types of IDS should be used together and that anomaly-based detection is a good idea, even if it has not yet achieved its full potential.
The speaker did give a reasonable discussion of attacks on anomaly-based systems. For example, by going slow, an attacker could hope to eventually convince such a system that the attack is "normal".
-------------------------- Sunday ------------------------------
9:30am: As usual, I was awake long before the talks. So I decided to bike to the New York, New York casino, where I promptly lost $5 gambling (my limit) and proceeded to play pinball for the next hour. Then I biked to Defcon. It's safe to say that I'm the only one who bicycled to the conference.
11:00am: HTTP IDS evasions revisited --- Daniel Roelker
The speaker discussed web attacks. These sorts of things would be an embarrassment for an intrusion detection system (IDS) but not seriously harmful. The speaker discussed two methods for evading intrusion detection systems at the application layer, namely, "invalid protocol parsing" and "invalid protocol field decoding".
Invalid protocol parsing involves finding confusing places in the protocol specification and testing to see if the IDS is able to parse it correctly. If not, an attacker might be able to get something malicious past the IDS.
In a similar vein, invalid protocol field decoding involved encoding a URL in a complex manner so that the IDS would be unable to correctly resolve the URL. For exampe, if "%" appears in a URL it is an escape into hex, so that "%41" is "A". And since hex 25 is "%", "%2541" is also "A" as is "%%34%31", since %34 is 4 and %31 is 1. There are a few other similar tricks as well. Not surprisingly, some IDSs fail to parse such complex expressions correctly, enabling an attacker to obfuscate a URL.
These two techniques could be combined to produce a cute attack. For example, HTTP 1.1 allows multiple requests in a single packet. So if the IDS only looks for the first request in a packet (invalid protocol parsing), and if a second request is obfuscated (so as to avoid simple scanning by the IDS), the second request will get through, even if it should have been filtered.
Not surprisingly, there are GUI tools available that enable the hacker wannabe to produce tricky encodings of URLs. By itself, these tricky encodings are not exploits, but they are a timesaver for the overworked hacker. The speaker demonstrated one such tool, HttpChameleon, which is a windows GUI tool.
12:00 noon: Metamorphic viruses --- Sean O'Toole
Polymorphic computer viruses have been in the news lately. Such viruses change their form in an effort to evade detection. However, the transformations employed by polymorphic viruses are very simply. Typically, such a virus will simply be encrypted, and each instance will be encrypted with a different key. In that way, the body of the actual virus is different and can thus avoid signature based detection (the method used by all virus scanners today). However, the virus must also include code to decrypt the virus, and this enables the virus to be detected (with some effort) by a traditional virus scanning techniques.
Metamorphic viruses are "body-polymorphic" viruses, i.e., viruses where the body of the virus itself changes from instance to instance---as opposed to simply being encrypted with a different key, as in the polymorphic case.
The speaker discussed the following techniques that could be employed to produce metamorphic viruses (or other metamorphic code, for that matter). The idea is that when the virus spreads, it first undoes its current metamorphism to yield a base version of the virus, and then produces a different metamorphed (is that a word?) version of the base code. The techniques discussed were the following.
This talk was quite interesting, but the speaker rushed through his material in 15 minutes. As with all speakers, he had 1 hour and if he'd taken more time and shown a few examples, this would have been an excellent talk.
1:00pm: Network worms: What is possible? --- Jonathan Wignall
The distinction between a worm and a virus is not always clear. The usual definition is that a worm actively seeks out new targets while a virus is more passive, requiring active intervention of some sort (say, a user copying an infected file).
The speaker gave a quick history of worms, from the Morris worm in 1988 up to recent cases such as Code Red, Nimbda and Slammer. For each, he gave a quick comment on its relative strengths and weaknesses. He pointed out that worms can propagate via legitimate services, such as email, as well as via an exploit. His view is that legitimate services is a much more reliable transmission vector since "no worm ever failed by underestimating the intelligence of users".
He then described the ideal worm. In his view, such a worm would satisfy the following.
He then discussed "fast replication" worms. Such a worm might contain an initial "hit list" that it infects immediately. Then each successful infection would try to infect some block of the address space, scanning for copies of the worm. If a copy is found, the worm would move on to another block of the address space. Nothing quite this sophisticated has been seen yet, but he estimated that a well-executed implementation of such an approach could reach the entire Internet in about 15 minutes.
An alternative fast replication approach would be a "flash worm". Such a worm would initially contain a large subset of the address space---addresses carefully selected for maximum vulnerability and/or damage. Then at each replication, this enormous worm would split a part of its address space off into its sub-worms. This infection process could be viewed as a tree, where at each level the virus is getting smaller and smaller, since each carries a smaller sub-set of the original set of addresses.
For a flash worm to effectively target the Internet, the speaker estimated that, initially, such a worm would have to be about 400KB in size. Given high speed links for the first few round of infection and a well-written worm, he estimated that the entire Internet could be infected by such a worm in about 15 seconds. Of course, this is much faster than humans could possibly respond to such an attack.
The speaker then started to discuss slow spreading worms, at which point someone from the audience interjected that it would be "much cooler to infect the world in 15 seconds". The audience obviously enjoyed this comment.
The speaker discussed a few different types of slow spreading worms, which he labeled "stealth worms", "companion worms" and "power worms". He didn't seem to think that stealth worms (i.e., worms that evade detection until they have infected a large percentage of the network) were too much of a threat at present, since such a worm would be very tricky to code. A companion worm is a worm that carries another worm. These would require twice as much effort to program, so he didn't think we would see these anytime soon either.
The speaker's idea of a power worm is a worm that essentially develops its own peer-to-peer network. Such a worm would be better able to avoid trying to re-infect already infected hosts, and, more importantly, it could potentially respond much more effectively to defensive measures.
He then spoke briefly about the role of worms in information warfare, where the challenge is to infect only a part of the network, while leaving the remainder untouched. Then he spoke about possible defenses against worms. An interesting suggestion here was to have an array of personal firewalls overseen by a master. This master would look for anomalous network behavior. When it detected such behavior, it would temporarily block the traffic on most of the network, while allowing it to continue in one (or a few) place(s), in order to determine whether an attack was in progress. If it detected an attack, the master would have saved most of the network, while sacrificing some small part of it to the attack. This approach is designed to detect fast spreading worms, such as flash worms, but could certainly be defeated by slow stealth worms.
I found this to be a fascinating talk, particularly the concept of a flash worm. Combining the ideas in this talk with those in Saturday's talk on "Putting the T back in cyberterrorism", left me with the sense that the Internet is far more vulnerable than is generally realized.
2:00pm: Malicious code and wireless networks --- Brett Neilson
The speaker has apparently written a book on wireless security. This talk was an overview of wireless (what is wireless?, a history of cell phone technology, differences between various 802.11, etc.).
3:00pm: Host-based intrusion detection on Windows and Unix --- Dr. Rich Murphey
This speaker didn't appear to have prepared a coherent talk. Several of the talks I attended were like this and the only one of these that was successful was Phil Zimmermann's talk, and that was non-technical. I left this talk after about 15 minutes since it clearly wasn't going anywhere.
3:30pm: The only remaining Defcon 11 event was the awards ceremony at 4:00. But I was getting tired of it and so I left and biked back to the Strip. After much gluttony and more pinball, it was time to go back to my hotel for a good nights sleep before the long drive home on Monday.
Conclusions: For me, Defcon 11 was fun and educational. The quality of the talks was extremely uneven, but the best talks were truly excellent. The extracurricular activities surrounding the talks were interesting and generally entertaining, if a bit too profane for my tastes. I particularly enjoyed "spot the fed". In fact, I was concerned that being a former Fed myself, I might be "spotted". I guess the six months I spent growing a goatee paid off.
There are some things I'd like to see done differently. First and foremost, there clearly needs to be more quality control with respect to the selection of talks. I'd also like to see some tutorial sections. For example, I heard a great deal of nonsense related to cryptography. A good tutorial on cryptography would have provided useful information to a significant percentage of the attendees, I believe.
Another unusual aspect of Defcon is that there are two large, diametrically opposed, groups of attendees. For lack of better terms, let's call them "hackers" and "security professionals". The age gap between the two is probably more than 20 years, on average (though there were a fair number of "gray beards" among the anarchists). So perhaps it's not too surprising that there's virtually no interaction between these two groups. With effort, I was able to have a few conversations with college-aged kids. But I teach college, so I might have an unfair advantage. Surprisingly, I found it almost as difficult to break the ice with most of the security professionals. Maybe my goatee was the problem. In any case, anything that might encourage some communication between these groups would be useful.