Defcon was held once again at the Riviera hotel in Las Vegas.
I think the attendance went up from 5,000 last year to 12,000 this year. The organizers used the same room layout, which resulted in grid lock at times in the hallways, but I was always able to get into a talk.
Getting a badge was an adventure again this year. They started with a laminated greenish paper one, and allowed approx. the first 10,000 attendees to trade for an electronic version that included a radio transmitter with LED.
Lots of interesting talks, but my executive IT summary would be:
- Use Firefox and the noscript plugin to prevent Javascript attacks.
- Social networking sites (Facebook, myspace, etc.) are not safe to view because of JS attacks by XSS and applet JS attacks
- Microsoft SQL Server is subject to a lot of automated attacks now, so hard to defend. Especially with recent .NET built-in.
- You can use the ssh-vulnkeys tool on Debian to see if your ssh keys are weak. 3% of verisign SSL certs are vulnerable.
- nmap –reason –T4 is recommended as being useful. Also nmap now has rate limiting options built-in, and a nice Windows frontend called zenmap.
Some of the talks I went to …
nmap, Fyodor
The nmap talk alone was worth the trip.
I talked to one guy who rented a Segway for $125/day during the conference. He said it was handy for getting around the long halls, and used it instead of a taxi for short trips down the strip.
I bought a Foundry switch and a Tripplite rackmount 20 amp switch from one vendor and was able to scrounge up a discarded cardboard box for the airline trip back.
I asked him what he did with gear after the conference and he said, “I have to truck it back because when I gave away free equipment at the Alexis, it ended up in the pool.”