DefCon is an interesting inverse to the standard security conference. Instead of hearing stories about "how we kept the bad guys out," you hear the stories of "how we let ourselves in." Not that they're necessarily the bad guys any more -- since some hackers at DefCon use the conference to publicly humiliate companies and technology developers into improving their security.
This most recent DefCon was held August 8-10, at the Riviera Hotel and Casino in Las Vegas, and if you're just hearing about DefCon, let me say that this is a hacker's show. Show organizers even are known to encourage their attendees to hack the conference's electronic access badge. Even so, government security pros (read: bureau and agency guys and gals) are known to attend to stay up-to-date on what they'll be faced with.
One thing that has been happening a little more each year is that the hacking community recognized that not only could they hack electronic security, but also that traditional physical security devices could fall to the hands of their hacks as well.
Much like recent DefCons, at this year's DefCon 16 lock picking was taught -- presumably because it's easier to perform IT hacks inside a facility than it would be from "outside". One of the hackers apparently was also showing off a skill on how to pick Medeco locks using simply a picture of the key and some disposable plastic (old credit cards or plastic from the Shrinky Dinks children's toy); the same hacker was known for showing how to bump locks, even so-called unbumpable locks.
Gale Johnson, an accomplished locksmith and editor-in-chief of Locksmith Ledger, provided me insight into what really was being shown at DefCon in terms of the lock picking:
"Mechanical locks depend on a singular-shaped operating key. I have a comparator machine and have measured the factory specs. for over 2000 different types of keys. This information is not a secret and is available from multiple sources. Therefore, if you can obtain a picture of an operating key, obviously someone with the factory specs can possibly originate a working key. This is true of any mechanical key. The discovery in Las Vegas is no discovery at all."
Thanks, Gale, for giving us a quick run-down of this so-called hack. We also posted a story on the SIW homepage about other tactics to get into buildings being proposed at DefCon 16. What's clear is that hacking isn't just for Microsoft anymore.
-Geoff
