innismir.net

This floated across my Twitter stream yesterday: Internet Lawyer Take: DEFCON Spinning Out of Control? Watch out, you might want to make sure you’re caffeinated and sitting down while you read it.

Where do I begin?

Typical DEFCON attendee in Mr. Dozier's Mind

• Basing the criticism off two anonymous people’s complaints? Check
• Vague complaints about evil hackers trying to deface his website during Defcon? Check
• Suggestions about a possible Oracle genocide because of DEFCON? Check.
• DEFCON is all about 15 year old kids learning to do l33t h@x? Check.
• Sensationalizing various happenings without going into detail as to what happened? Check. Check. Check.

Dozier seems to be of the opinion that DEFCON is a cespool of high school students who sit around their laptops trade mad hax and attempt to knock power grids offline all weekend. As anyone who has attended DEFCON knows, this is a complete load of horse puckey. DEFCON is essentially a Black Hat after party in which you get to kick back, enjoy Vegas, talk shop with other InfoSec people, and essentially spend most of the convention in an inebriated state (provided you’re over 21). I thoroughly enjoyed both times I attended.

Mr. Dozier seems to really dislike anonymity. He goes to suggest that DEFCON get full details on every attendee to flush out the less desirable elements. I’m sure Mr. Dozier would be aghast to know that when I spoke I used a pseudonym. Why would an upstanding citizen like me choose to be anonymous even when I was speaking about an relatively innocuous topic? Because I enjoyed keeping my identity somewhat under wraps and more people knew me under my pseudonym rather then my real name.  When you deal with random people on the Internet, it’s very common to associate an e-mail, Twitter name or forum handle more easily with them rather then a full name. This has been the case since the early days of networked computing, as evidenced in Guy Steele’s “Confessions of a Happy Hacker” from The New Hacker’s Dictionary, 3rd edition. (Aside: If you like Hacking History, get this book.)

…when Barbara and I got married, we sent out wedding invitations of the usual sort without considering the consequences. One hacker friend was completely puzzled: “Barbara Kerns … Guy Steele … Who are these people???” His girlfriend looked over his shoulder and said, tentatively, “Guy Steele … isn’t that Quux?” This was someone I knew quite well, but he knew me only by that handle.

The statements on Oracle really have me scratching my head. Mr. Dozier seems to be confused about the cause and effect of things. In his train of thought, any kind of Oracle breaches from here on out are solely the fault of DEFCON and the MetaSploit project. Never mind the fact that all of the exploits have existed in the wild for quite some time, or the fact that they will be used by people such as myself to demonstrate to non-technical people that their Oracle server is doomed. These tools will only be used by 15 year olds who will deface websites, steal identities, and use their ill gotten gains to fuel their $1500 a day XBox Gamer Point habit.

As for “embarassing [sic] the federal authorities” everyone who goes to DEFCON is well aware of the “Spot the Fed” competition. Every time I saw a “Fed” “spotted” it was very non-adversarial and amusing for all parties involved. If his “exceptionally talented and knowledgeable government security types”  have a problem with this they need not attend, which they don’t. I also think that they need to develop a touch thicker skin.

Finally this leaves me shacking my head:

Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to hack into a protected computer? At Dozier Internet Law we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point.

Mr. Dozier better get his lawsuits warmed up. I hear there are also conferences where people talk about things like guns and ones that talk about cars too. People get killed by cars and guns EVERY DAY! Surely this needs to stop!

One thing I will give him credit for is his web design: I think I’m start calling myself an “Internet Security Engineer” and rename my weblog to “Ben Jackson, Internet Security Engineer for the Commonwealth of Massachusetts, GIAC Certified Intrusion Analyst, Author of “Asterisk Hacking”, FCC licensed radio amateur, subject of an article in Infoworld, and stunningly handsome offers and Internet Security Engineer perspective on the web, Amateur Radio, and his life” — Instant credibility.