My short bio: I created the Hardware Hacking Village at Defcon, the [email protected] Mystery Box Challenge, the hackable badges and cryptographic challenges for Defcon...

My Proof: http://www.wired.com/2014/08/defcon-2014-badges-revealed/ http://www.wired.com/2008/08/the-defcon-16-m/ http://www.wired.com/2009/08/defcon-17-mystery-challenge/

Twitter @1o57 https://twitter.com/1o57/status/615267681688780801

Comments: 174 • Responses: 63  • Date: 

BananaToy30 karma

What exactly is the point of the AMA if most of your answers are 'I can't comment' and you stay anonymous? Are you selling something or do you have an agenda? Isn't this better suited on /r/casualiama

P.S. I'm a half-dinosaur/martian/robot. AMA

1o57-3 karma

Most of my answers are direct responses. In fact all but this one thus far-

As far as anonymity, I think I've been pretty open with information.

Or half troll? :)

Anti_fascism_machine20 karma

Cicada 3301. Any comment on what that's about?

1o57-49 karma

You are not the first to ask me about this.

Same answer: no comment.

DarkMason12 karma

Some of your challenges feel like they have a Masonic influence. Is this by design?

1o5713 karma

If you read about the badge designs I did for Defcon 21, you'll see the clock-work mechanisms that were part of the Uber badges- that was an homage to my grandfather, who was a jeweler and a watchmaker- an as a jeweler he used to make the rings and other things for local Masons....

EatGulp7 karma

Jeweler/Watchmaker here

Wish i knew how to code :)

1o5721 karma

Watchmaking skills are dying. Please try to keep that skill tree alive - teach someone- anyone...

FlamingoGuy6 karma

I'm super willing to learn how to make nice jewelery and watchmaking! I love looking at how watches/clocks work and would love to learn how to make and repair them and eventually do that for a living, but I don't know where to learn how to become a jeweler/watchmaker =(

1o575 karma

There are very few watchmaking schools left. Some of them will even pay for you to learn the trade...Google is your friend here...

highwiz9 karma

How did you get "involved" in defcon?

1o578 karma

I was a math dork with coding skills and a soldering iron. I went to my first Defcon alone. I still feel like that math dork, now I'm just really involved :)

I got involved because I wasn't afraid to talk to people, and I wasn't afraid to fail. I knew there were people at Defcon who were way more intelligent that I am, but I didn't let that stop me from participating and talking to people...

highwiz7 karma

I was fishing for your to tell your "Building robots on the floor" story.

1o5711 karma

Hehe- ok fine-

The story HighWiz is talking about is actually how the Hardware Hacking Village was created:

Many years back I had gotten Parallax to donate a bunch of robot hobby kits- like 50 of them- so that year at Defcon I started at one end of the conference, and like the Pied Piper walked through the crowds of people shouting "Who wants to learn to build a robot"- by the time I had gotten across the entire conference space I had a line of people behind me- since we didn't really have anywhere to go, we made a big circle in the middle of the contest area floor. Everyone sat and I taught an impromptu class on basic servo hacking, subsumption embedded systems programming and basic electronics- people had a really good time- but we were literally sitting on the floor in the midst of 14,000 people at the conference- so the following year Russ Rogers and I formed the Hardware Hacking Village, so that we wouldn't have to sit on the floor anymore...

Auntfanny8 karma

Do the winners get recruited by the security services?

It reminds me of the Times crossword challenge that they used in WW2 to recruit people to crack the enigma machines.

1o579 karma

I know of many people who put winning an Uber/black badge from Defcon on their resume- certain employers, who have an appreciation and understanding of what that really means will take it as a bullet point worthy of note--- (in roughly 16,000 people at the con each year only approximately 15 uber badges are awarded/earned)

Kinda like the last Starfighter eh?

Xanian1237 karma

Can you solve the challenges you create?

1o5715 karma

I get asked that often. I always base what I include each year on things that I'm studying or interested in that year, so I'd like to think I'd find the solutions-

That being said, teams OFTEN find means to solutions that I had not thought of- and that's actually one of the most enjoyable parts of the entire process for me.

Each puzzle has multiple stages, and often multiple paths to a solution. There are also quite a few red herrings...

Xanian1234 karma

Thanks a lot.

1o576 karma

No problem. Have you been to Defcon?

Xanian1234 karma

I've heard about it in movies. But no, I haven't been to the convention.

1o577 karma

Yeah, we were even in an episode of the X-Files, although they said that we were a government conference- lolz-

If you're interested in these subjects, you should check it out !

By the way, we had a documentary made a few years back: https://www.youtube.com/watch?v=rVwaIe6CiHw

ewe_dew_real_eyes6 karma

IMO DefCon and the other security conferences present an opportunity to conduct HUMINT against the infosec commuity. Nobody in their right mind can believe the participants in these conferences are not deeply profiled by the powers that be. Individuals serious about the politics of infosec and anonymity should probably avoid the conferences altogether.

A. What is your opinion of the above statements.

B. What countermeasures do these conferences undertake to make profiling more difficult, and anonymity possible?

Thanks.

1o579 karma

It's a mixed bag. The same statements can be made of your traffic/packets, your ISP, your SSN, social networking sites, etc...

Of course profiling happens. Happens if you are at Defcon or not. Happens both directions too-

Take the cash only, no pre-registration policy of Defcon. That's for a reason. No paper trail. We also do not allow photographs in public spaces, and force all press to be registered and marked. Take the example of the under cover dateline reporter that we caught and shamed in public, ultimately driving her from the conference: http://arstechnica.com/security/2007/08/only-at-defcon-nbc-dateline-nailed-trying-to-nail-feds-hackers/

I think running HUMINT on someone in a place like DEFCON, where you are MORE likely to be on guard is much more difficult than an SE spear-phish in different settings...

ewe_dew_real_eyes1 karma

Thanks for your response.

The same statements can be made of your traffic/packets, your ISP, your SSN, social networking sites, etc...

Sure, but DefCon is self-selected for an affinity to all things infosec. So there's a meaningful distinction to be made here. Attending says "watch me" and presenting...

If you don't see Defcon as a vulnerability, it's hard to patch. The measures you mention are necessary but insufficient. For example, if the hotel CCTV is active, as it most certainly is, the rule against public photography is moot, as passive facial recognition attacks can be conducted from the hotel security control room.

It's not enough to say that every conference enjoys the same vulnerability, or that people who attend chose to be public. The question is: is it possible to attend (any) conferences anymore without being profiled, ingested? The answer must be no, especially if we're using the half-way countermeasures you describe. I think it's an interesting problem, fundamental to conferences in general, and not a special topic, or sub-heading. It's the thing itself.

After all, if an organization can conduct passive facial recognition attacks on Defcon, then you guys are being hacked.

For me this is a puzzle worth solving.

Edit: Privacy village, powered by Google. LOL. It's like the smart people gave up.

If you are interested in helping out with this year's Crypto and Privacy Village, feel free to join the Google Group (https://groups.google.com/forum/#!forum/cryptovillage), reach out to us on this forum, or on Twitter at @CryptoVillage (https://twitter.com/CryptoVillage).

1o576 karma

One of the badge hacks a few years back was using the processor on the badge to drive LEDs attached to a hat to defeat facial recognition...

All your arguments are true of public places in general at this point..

Japanese hacker cons are often attended by hackers in disguises (no kidding)

The use of handles, cash, and other SE misdirection are part of some people's standard OPSEC posturing...

Really you are talking about privacy in general- and with certain current tech (do you have a burner phone?) the discussion becomes less about conferences and more about just "public spaces"....

maligare5 karma

Two questions:

Many of your challenges involve foreign languages: What kind of references do you suggest a n00b linguist should use to start building familiarity (online? old-school text?)

Can we look forward to another post-defcon black badge cipher treat a la defcon 20? :)

1o576 karma

The single best advice I can give as far as linguistics goes- (and this goes for coders as well)- you HAVE to have an interest in what you are studying- honestly, if something is boring or uninteresting to you what's the point??? There are now great heaps of language resources online for darn near everything on the planet- I find joy in trying to find the things that haven't yet made it online-

Consider: I have to make my stuff "Google-Proof" or it's lame and boring...as the corpus of knowledge by giants like Google grows, that becomes an increasingly difficult task- but it can be done with altering your though process...

I always try to leave a hook to the following years on the Ubers-

This year will plant seeds for next year actually....

Xanian1235 karma

Sorry for asking another question, but how did end up doing what you do? What did you study, and on another unrelated note, how do you think the advances of artificial intelligence will affect your job in the future?

1o576 karma

No problem.
I actually am very interested in communication and linguistics (if you read any of the articles you'll see I often use ancient, dead, or strange languages into part of the puzzle game- try googling for something you can't type in or even recognize)- as such I studied mathematics, the "language" of science, as well as computer science (speaking to a compiler is no different than speaking to a person at the heart of the issue)-

If you're interested on how I wound up specifically doing these challenges for DEFCON, Wired did a bit of an expose on me last year that you can read here: http://www.wired.com/2014/08/defcon-2014-badges-revealed/ That article gives a bit of my history and background-

As far as AI, machine learning (ML) is more en vogue these days in security research than "AI"- and it's far from operational as you see in the movies- more powerful than that right now is big data analysis; finding correlation in huge data sets is big business- look at all the data mining taking place with social media information (hint: in any service that is "free", YOU are the commodity...)

Xanian1233 karma

I just read that article. What you do sounds really cool as fuck. Congratulations, and keep up the great work. Hope you stay ahead of your competition :D

1o575 karma

I tend to re-invent myself every three to five years, and as long as things stay fun I'll keep doing them- the Mystery Challenge was orders of magnitude more difficult that the badge challenges tend to be, but we wanted to open the games to a wider audience- that being said, I'm working on some cryptographic/puzzle side projects that will be ongoing....

And thanks for the kind words..

keptfloatin7074 karma

Would you be willing to / or have you already solved the Zodiac Killers cyphers? The famous 340 character - Unsolved cypher

1o570 karma

I've looked at many unsolved ciphers, both professionally and privately....

Metallicock30004 karma

Have you ever hacked the Gibson?

1o575 karma

Only when I had a spinning phone booth...

jakuu2 karma

Not sure if you saw one of my last tweets. But I bought a phonebooth and it will be at Thotcon for that exact purpose.

1o574 karma

Nice - we thought about doing that a few times, offering photo opportunities for EFF donations or something...

bitcoins3 karma

Do you need help with anything? I wanna goon this year!

1o571 karma

Hehe- I get asked this quite a bit too- if you're interested in gooning, you should find an area you think you could help out with, and find the goons in those areas and simply offer to give a hand- that's generally how we get new goons...

bitcoins3 karma

Tried that a few years, no luck

1o577 karma

Sorry to hear that- if you make it Defcon this year, stop by the 1o57 room on the conference floor and introduce yourself...

highwiz1 karma

Have you tried getting involved with some of the villages? Just getting yourself involved and giving back to the community makes you much more desirable when people look for goons.

bitcoins2 karma

I'm getting involved with the biohacking village this year! Really excited!

1o572 karma

Excellent. Always welcome new people!

Thisismyfinalstand3 karma

Complete novice that would like to get into pentesting and/or consulting, any suggestions on where I should start?

1o576 karma

Start reading. Find what aspect of red teaming interests you. Find a local hacker space in your area, or DC group.

Attend conferences.

chevybow3 karma

Any advice for a cs student that's interested in cryptography but doesn't know how to get into it?

1o577 karma

take all the math you can stand Programming languages come and go- math doesn't.

QA_ninja2 karma

do puzzles. Specifically logic puzzles where you have to be VERY open minded in getting the solution. I'd also work on pattern matching, it's a very great skill for solving puzzles.

KnowledgeNate1 karma

what kind of puzzles? where can i find these puzzles?

1o572 karma

Or you can come to Defcon and try my puzzles :)

Trogdor_Burninating2 karma

I am attending Defcon for the first time this year. What are three things that every new attendee should do?

1o575 karma

Attend Defcon 101.
Talk to people. Try and participate in something. Anything.

pronto1851 karma

http://www.jk-47.com/2015/06/bsideslv-defcon-2015-conference-tips/ <-along with defcon 101 check this post out

1o575 karma

LOL- that post calls badge hacking "solo" - it's far from that every year ;)

JK47TheWeapon0 karma

While the badges recently have been made to try to increase human networking and interaction, I have also seen many just keep their heads in their laptops and IDE, I was one of them. I updated the post for clarity.

DC18 was a little eye opening for me, spent way too much time thinking "What can I make the led do? What msg is hidden in it?" Missing everything else going on around me. I just wanted to warn people not to get too caught up in that.

People can make DC what they want of it, but from time to time I hope they get off their laptops, and into the human world.

P.S. Utmost respect from me for thinking at a level that I can't begin to understand for the contests ;) Every year I'm amazed.

1o571 karma

To be fair, DC 18 was designed by Joe Grand- and for the 4 years previous to that- those were designed for purely a hardware hacking challenge-

I do my designs specifically to require interaction with others in order to find solutions- You can't solve my puzzles without talking to others, because your badge does not contain everything you need...neither does your lanyard....

night_on_the_sun2 karma

Was Defcon cancelled this year? I know it was, just wanted you to confirm.

1o573 karma

Defcon is always cancelled ;)

billdingishere22 karma

Are you a member of any hacker groups or things of that nature?

1o573 karma

Sure. The only ones that I will comment about publicly- shout outs to the Tribe, 303, 602 and 949, as well as APG.

There are others that I decline from comment on.

QA_ninja2 karma

Any details for this year's mystery badge puzzle?

Are you making the black badges again?

1o571 karma

Can't give anything away before the contest officially gets underway- many people take this competition very seriously :)

Yes, I'm hand assembling the black badges, like I do every year that I do the badge designs...

I've said a few things via my twitter feed, but I also tend to 'hide' clues out in the open...that's part of the fun for me...

ddooookk2 karma

This'll be my first DefCon, and i'm bouncing off the walls with excitement. I understand the badges switch between electronic and non-electronic each year. Can you confirm if this year will NOT have electronic badges?

1o572 karma

That is correct- we try to do an on-off cycle for the electronic badges- it forces our creativity and keeps the whole thing from getting stale- every security conference on the planet now has electronic badges- so we try to keep mixing it up...

I hope you enjoy the con- this will be our first year at this new venue, so things should get interesting...

ddooookk1 karma

Thanks. Yeah, it's gonna be an experience for sure. Hopefully i'll try and have a crack at your mystery challenge too.

1o574 karma

Strictly speaking the badge puzzle and crypto challenges are not the Mystery Challenge- the official Mystery Challenge ran for 5 years and was then retired- just getting into that game required teams to find out and solve even how to register and compete-
The Mystery Challenge was brought out of retirement for 1 additional year for the Defcon 20 year celebration-

The badge challenges have little parts that are for the 'casual' gamer type, as well as difficult synthesis of other cryptographic, physical, and various other puzzles, riddles etc- so hopefully there's something for everyone...if you get a chance stop by the 1o57 room on the conference floor and say hello.

highwiz1 karma

Non-electronic. Tick-Tock.

1o573 karma

Highwiz is completely correct. For those new to Defcon HighWiz is an integral part of the community, and responsible for Defcon 101 tracks...

QA_ninja2 karma

Are you going to make a "special" badge for the media again?

1o574 karma

Be sure to find a member of the press this year and look at the back of their badge...

Take the meaning for what you will... :)

(For those wondering, I tend to not be very positive as far as the press is concerned- when they attend a hacker con they are looking for sound bytes or shock bits to run in their stories- translation: at a hacker con the PRESS ISNT YOUR FRIEND. The year I did the playing card badges there was reason the press was a "duce")

ohbuckeye1 karma

what is the reason?

Zudane2 karma

As a guess... a duece is a 2, so it'd be calling them shit.

1o575 karma

Exactly.

Also the lowest card in the deck.

All the other non-human badges were face cards with detailed art-work...

bitcoins2 karma

Or blackhat attendees :)

1o573 karma

So that is due to the fact that the registration line for Defcon is something of legend- some people wait in line for hours, if not days, because of the problems we had with running out of particular badges each year- well when folks who don't stand in line get their badges AT Blackhat, it kinda pisses me off- so the year of the cards we sent ONLY deuce cards to BlackHat....

DirtiestHarry2 karma

I'm an accountant but would love to explore computer science and coding. How in the world would a complete an total novice go about pursuing this?

1o574 karma

Points to consider- at some point, everyone was a complete and total novice in this field-

I can also say that some if not most of the best security professionals and hackers I know come from other disciplines first- for some reason hard core CS and CSE folks tend to follow certain paths of thinking (that I guess they learn from school/functioning in those roles) which DOES NOT lend itself to breaking and exploiting the very systems they build (they spend their lives trying to make stuff NOT break)- If you simply want to learn coding, there are loads of online resources - as far as hacking/security, come to Defcon ;)

FireFromTheWire2 karma

Can you give me a challenge?

1o574 karma

Well, sure.

You're welcome to try the badge challenge this year at Defcon, or to FIND the new mystery project I'm working on. (It's in the same vein as FINDING the registration for the Mystery Challenge in the past) but this will be an ongoing project...

FireFromTheWire2 karma

Alright I'll bite and search for it. I guess I'm from the era where walking into a conference full of hackers and intelligence agents keeping tabs on said hackers was not a good idea. I've had friends/acquaintances do presentations but I'll never understand why they put themselves out there like that.

1o574 karma

Read through some of the wiki write-ups from past Mystery Challenges- might give you an idea of how things sometimes go...

oliversjgilmour2 karma

What operating system do you use?

1o574 karma

Depends on what I'm doing...with the advent of virtualization it's almost a moot discussion now- but I do enjoy FreeBSD, and lately Mint with Mate...

oliversjgilmour5 karma

Mint? I thought as a hacker you would be more inclined to using something like BackBox or Kali.

1o574 karma

Like I said, depends on what I am doing- pentests vs RE, etc... And I can't take the ubuntu base on Kali- I lament the loss of backtrack in that regard-

generally for pentests you should roll your own so that you are intimately familiar with your system- lots of people moving to Arch for that- I was using #! for a while, but it's gone now too ;)

jakuu1 karma

I love that you're getting upvotes for listing 2 "hacker" OSes. The things about those OSes is they are great to have around since all the tools are pre-installed and setup for you. But most of us will have our own setup with all the tools we use day to day, in the environment we are most comfortable with.

oliversjgilmour1 karma

I'm interested in hacking. Could you please recommend five must-have tools?

jakuu5 karma

netcat, grep, awk, echo and cat.

But seriously there is really no 5 must-have tools. Each job requires a different set of tools or technique and hacking has different areas of focus. What kind of hacking are you interested in?

1o577 karma

If listing awk Jakuu, don't forget SED (they go hand in hand)- I would say get shell scripting experience. Learn some Python. Play with nmap, ping (learn more about it), grep goes along with the shell scripting (and regular expressions)- get a good book...

I gave a Defcon 101 talk about basic things to get people started a while back...not sure if that's online anywhere...

Oh, and Jakuu is a smart freakin' dude. Take his advice seriously as well...

hahahalloun2 karma

Who IS the best hacker you've encountered?!

1o574 karma

That's subjective. I'm surrounded by some very intelligent people at Defcon who make me feel humbled. Too many to name.

mask5672 karma

can you solve the chiliad mystery for us? /r/chiliadmystery

1o574 karma

hehe- I'm more of an Elder Scrolls Online guy...

zmasinelli2 karma

Recently finished reading Ghost in the Wires, the story based on the experiences of Kevin Mitnick. I thoroughly enjoyed the story, but I wonder how much of it is true/plausible. Any thoughts?

Also, thanks for this AMA!

1o574 karma

Try getting the story from as many points as you can (have you read Takedown?) And rack and stack. Kevin comes to Defcon most years, as do feds who tracked him....

zmasinelli2 karma

Will do, thanks for the response. It's always awesome to hear from someone in the field.

1o573 karma

Thanks for the questions....had more people show up that I thought...

buttheadface2 karma

Any tips for someone struggling to pay for a trip to defcon?

1o574 karma

Find a ride-share if you're close- hit the Defcon forums and see if you can find crash space- many people come each year and don't even have a room- they find someone to crash with, or get 'creative'-

The Defcon forums will often have caravan listings of people you might be able to get a ride to the con with-

I've seen GoFundMe people trying to get to Defcon as well.

If you're a student try getting your school to sponsor you in return for some type of story or mentor ship when you get back...

hahahalloun2 karma

One more, What's the best hacking-related prank/joke you have ever performed?

1o573 karma

A few come to mind- it's always fun to take a snapshot of someone's desktop, and replace their wall paper with it, then remove all of their icons (so the icons appear in the picture of their wall paper)- that's always good for a laugh

I've gone as far as hiding a system inside of another system, stuff like that...

Simple stuff seems to be the best for pranks-

One time we replaced the firmware on some WAPs so that all images were replaced with Rick Ashley (it was a while ago)-

As far as the crypto challenges go- I've always like that at the very first mystery challenge I gave the teams the answer to the entire cryptographic puzzle right at the start and they didn't realize/know it....

SgtShitlord2 karma

I really want to get into hacking as a profession in the future. Any advice?

1o573 karma

Figure out what about hacking you enjoy- social engineering? Reverse Engineering? Red team? Blue team? Penetration tests? Government? Private Industry? Military? Consulting?

Get a bunch of VMs spun up either on virtual box or vmware, and run through some tutorials or books on your own infrastructure- practice, and read...

Jeffums1 karma

What's the deal with airline food?

1o573 karma

it's a stretch calling it food.

Jerry, is that you?

Skalpel13371 karma

What is that?

1o571 karma

That is Kryptos, which is at the CIA headquarters.

There are several online groups who work on the Kryptos ciphers....

Blitzkreig3031 karma

Are you hacking right now?

1o573 karma

Always.

boobiebanger1 karma

Would you rather fuck one horse sized duck or a hundred duck sized horses?

1o573 karma

I'm not really into animals, but if I was I guess I'd have to check the type of horse for purposes of scale. And I'd also clarify what radix your numerical references were utilizing, I guess I've seen too many episodes of the Twilight Zone where bargains with the devil often involve trickery...

MysteryChalleger1 karma

Hi 1057 - You make the highlight of my DCs and are clearly the most talented person there. Sufficiently buttered up, what news have you on any mystery challenge?

I'm counting the days.

1o571 karma

LOLz.

Thanks. Now I'm scared :)

Is what you're asking is if the Mystery Challenge is coming back?

MysteryChalleger3 karma

Well yeah - that or any precursor to the badge challenge like @ tribeca ;-) except well, meant for us.

1o573 karma

there is something in the works; not defcon related

croll121 karma

What age group do the best hackers come from?

1o572 karma

All ages.

Seriously.

SenatorRandPaul0 karma

[deleted]

1o575 karma

I have a job. Do you have openings? :)

xscz0 karma

Are there any defcon-style puzzles online you can share with us here that we can attempt to get an understanding of what the hackers have to try to do?

1o573 karma

Yes. Stay tuned for a new project I'm working on :)

Vertigonesky-1 karma

Can you milk me Greg?

1o575 karma

As long as you've got nipples I would assume so...although it may take a while and not be pleasant for anyone involved...

ButteryMancakes-5 karma

What are hackers going to do now that PCs are obsolete?

1o574 karma

lol. And the backbone infrastructure of all our phones, tablets, and even these reddit servers run on what? ;)

black_phone3 karma

Hacking will never die, it didn't start with PC's anyways. Think of it as manipulation or change, not bound to one field.

1o574 karma

Yes- I think of hacking as a mindset- in fact I'm in the camp that you can't teach someone to be a hacker- it's a part of your thought process and means of problem solving- I can teach someone techniques, but not how to craft creative and unique solutions.

Hacking originally referred to radios or trains (depending on who you ask)-

But it's really a mind set. And the damned press usually gets the usage incorrect. I liken hacking to intellectual curiosity...

m57c1 karma

I think that the mentality can be taught. The problem is that rarely does anyone really talk about hacking in that way aymore. What I really appreciate about Defcon these days is the willingness to promote the mentality and community over false ideals of leet hackerdom. First time I saw the badge challenge I didn't even try, next time solved one puzzle, next year formed a team out of people I met in line and in the hallways and we finished second by minutes, next year we came back solved it again, this year we are coming back to do it again and we are coming for the black badge. Each year the puzzle got harder and I got better at solving puzzles. Did my crypto skills improve? Maybe but really it's the mentality that improved. Don't give up, try everything, and trust your instincts. See you at the con Lost.

1o574 karma

Good luck guys ! :)