In the Masquerade wing of the Rio Hotel and Casino in the gambling capital of the world, there’s a giant statue of a head hanging over a lobby of slot machines.
The masked figure has two faces and four digital eyes — clairvoyant blue — that track back and forth constantly, as if recording the movements of everyone who enters.
That awkwardly self-conscious — even slightly paranoid — feeling you get from seeing being watched by that enormous casino head is pretty much a steady-state for most of the hackers who attend the DEF CON hacker event, taking place at the Rio this weekend.
Started 19 years ago as an underground gathering of sometimes-nefarious computer wizards, DEF CON has sprawled into a 15,000-person, four-day convention where anyone with $150 — in cash only, please, lest these hackers give up their identities — can learn the latest tricks and trade of computer hacking, lock picking and security breaching.
The aim of the event is to better inform both insiders and everyday people about the risks of operating in our increasingly digital world and to work on solutions. But the practical result of gathering this many highly skilled hackers in one building — in a Las Vegas casino, no less — is that everyone here is experiencing some level of terror.
Insiders say there’s no place on Earth where you’re more likely to get hacked.
“You’re on the most hostile network in the world. If you can perform business here, you can do it anywhere,” said Brian Markus, referring to the public Wi-Fi network at DEF CON, which veterans know to steer clear of.
Unlike at other tech events, which tend to focus on Facebook-like concepts such as “sharing” and “connecting,” DEF CON is all about who can stay the most private, and therefore, who will remain the most secure in this digital war zone.
Those who don’t are shamed into doing so.
Markus, for example, sits in a dark room in the Rio’s conference center watching Internet traffic. When he sees a password fly across the connection, which is often, he posts part of it, along with the user’s log-in name and the site he or she was using, on a large projection screen, which he calls the “Wall of Sheep.”
Within an hour of watching for passwords on Friday morning, his team from Aries Security had racked up 10 half-shaded passwords. (The team, and others, can see the full passwords and usernames, but they choose to protect the victims by only displaying the first three characters of each password. Kind of them, huh?)
So, how does one avoid the “Wall of Sheep”?
Markus suggests scrambling your Internet connection.
There are several free services that will do this, including OpenVPN and Ace VPN. That way, if someone like him is “sniffing” the Wi-Fi connection you’re using, they won’t be able to see exactly what you’re up to.
Another method: Type in “https” instead of “http” in your browser bar. That puts you on a more secure version of many major websites.
Plenty of people, however, are subjected to more sophisticated hacks.
Dan Kaminsky, one of the world’s most notable do-gooder hackers, said he had his personal passwords, e-mails and instant messages with a girlfriend dumped out into the public domain at a previous DEF CON event.
“If you walk onto a battlefield, you might get shot,” he said.
People still try to dodge the bullets, though.
As he darted through a mob of black-T-shirt-wearing convention attendees, Eli, better known by his hacker handle “Dead Addict,” told me how much he hates crowds.
Not only is there the social anxiety, there’s also the chance someone with an RFID reader and an antenna in their backpack could swipe your credit card info right out of your pocket.
The readers are the size of an old Walkman and, with a proper antenna, can grab data right off of credit cards that use quick-swipe technology (you can tell if you have one of these cards by looking for a little radio-wave symbol).
Eli, who started hacking in his teens and stopped breaking into corporate sites after all of his friends got arrested for doing the same thing, carries a metal-lined wallet to block this attack.
Other DEF CON veterans said they purchase junk computers they can throw away after the convention because they figure they’re going to get infected. Eli says he just leaves the laptop at home.
Most of the attendees carry cash. No one uses the ATMs after an incident in 2009 in which someone rolled a fake ATM machine into the event, according to Wired, and apparently used it to collect credit card information instead of dispensing money.
There’s also the anonymity of it all. Some hackers only go by their handles. Others don’t want digital records they attended the event, which does not require attendees to register or give their real names.
I got an e-mail warning me about some of these security idiosyncrasies before I got on a plane for Vegas. Written by a DEF CON spokeswoman, and reprinted with her permission, the note was full of jaw-dropping advice: