Luna (Lindsey) Corbden's Blog, page 6
September 28, 2012
Paid, Published Story: Let the Bugs Work Themselves Out
Wait, what? I forgot to announce on this blog!
I sold a story. And it is now published at the Journal of Unlikely Entomology's 'Hello, World' mini-issue. The theme: A new world begins when technology and insects meet.
The title of the piece is Let the Bugs Work Themselves Out, and in short, it is about cyberpunk ants. It is my first paid, published story, with a real live editor and everything! I've read this piece aloud at two public readings, and it is the favorite of my pieces. It was reviewed favorably at Locus Magazine.
Read it here.
I sold a story. And it is now published at the Journal of Unlikely Entomology's 'Hello, World' mini-issue. The theme: A new world begins when technology and insects meet.
The title of the piece is Let the Bugs Work Themselves Out, and in short, it is about cyberpunk ants. It is my first paid, published story, with a real live editor and everything! I've read this piece aloud at two public readings, and it is the favorite of my pieces. It was reviewed favorably at Locus Magazine.
Read it here.
September 25, 2012
Shelving Emerald City Hunter, Starting Novellas
Indie writing is a great experiment. The old formulas are being remixed in new electronic test tubes. The new media and models of distribution via ebook are changing reader habits, which are changing the industry.
As a new writer, I have taken lots of risks. My horror novella, Make Willing the Prey became the prequel to my urban fantasy novel, Emerald City Dreamer . This is the sort of shenanigan that is simply not done in the publishing world, and there are good reasons for that. I was aware of the risks when I made that choice. Hey, I've got a long life. Might as well waste it in style.
According to tradition, the next step is to write a trilogy or series matching the pace and format of Emerald City Dreamer. And that was my plan, the plan I've spent the last few months (okay, year) following. I have a draft of Dreams by Streetlight Book 2, Emerald City Hunter, and have invested many, many hours in editing it.
Plans change.
Emerald City Hunter, as written, takes place eighteen months after Emerald City Dreamer. A lot has happened in that time, and the characters begin ECH after huge changes. Changes I haven't written about. Changes I gloss over and sum up. As with ECD, it follows four point-of-view characters with a complex interweaving plots.
Frankly, it tries to do too much.
Too many stories in my Dreams by Streetlight world demand to be told, and sometimes I try to tell them all in a single project. Emerald City Hunter can't tell all of them.
This is a difficult decision, because it is a huge risk. Writing and publishing is a slow occupation, and I will not see the results of my decisions for years to come. Yet here it is: I will pause Emerald City Hunter. Instead, I will write a few novellas that take place during that eighteen month gap. They will be single-POV with simple plots told across 10-15 scenes.
There will probably be three novellas.
The first will be an adventure plot, featuring Sandy, doing what she does best: Fighting the fae. She will have a single antagonist, and will work closely with her friends and allies to that end. She will also begin her healing process. My working title is, Emerald City Iron.
Jett may need a novella all to herself, since she has grand designs that need to be begun properly. And the third will be another monster hunting story, either from Jina or Sandy's POV.
Novellas are an order of magnitude simpler, which I hope will speed up the release cycle, and let me do tiny projects (like short stories) in between. It also gives me space to really focus on the characters that you've come to love, rather than speeding past them like I tend to do in the fast-paced novels. I can cover a few of the background story elements I tried to cram into Emerald City Hunter, to make room for everything else.
Most importantly, I think this may bring back some of the "fun" to my writing process. Sandy needs a couple of monster-hunting romps, don't you think?
As a new writer, I have taken lots of risks. My horror novella, Make Willing the Prey became the prequel to my urban fantasy novel, Emerald City Dreamer . This is the sort of shenanigan that is simply not done in the publishing world, and there are good reasons for that. I was aware of the risks when I made that choice. Hey, I've got a long life. Might as well waste it in style.
According to tradition, the next step is to write a trilogy or series matching the pace and format of Emerald City Dreamer. And that was my plan, the plan I've spent the last few months (okay, year) following. I have a draft of Dreams by Streetlight Book 2, Emerald City Hunter, and have invested many, many hours in editing it.
Plans change.
Emerald City Hunter, as written, takes place eighteen months after Emerald City Dreamer. A lot has happened in that time, and the characters begin ECH after huge changes. Changes I haven't written about. Changes I gloss over and sum up. As with ECD, it follows four point-of-view characters with a complex interweaving plots.
Frankly, it tries to do too much.
Too many stories in my Dreams by Streetlight world demand to be told, and sometimes I try to tell them all in a single project. Emerald City Hunter can't tell all of them.
This is a difficult decision, because it is a huge risk. Writing and publishing is a slow occupation, and I will not see the results of my decisions for years to come. Yet here it is: I will pause Emerald City Hunter. Instead, I will write a few novellas that take place during that eighteen month gap. They will be single-POV with simple plots told across 10-15 scenes.
There will probably be three novellas.
The first will be an adventure plot, featuring Sandy, doing what she does best: Fighting the fae. She will have a single antagonist, and will work closely with her friends and allies to that end. She will also begin her healing process. My working title is, Emerald City Iron.
Jett may need a novella all to herself, since she has grand designs that need to be begun properly. And the third will be another monster hunting story, either from Jina or Sandy's POV.
Novellas are an order of magnitude simpler, which I hope will speed up the release cycle, and let me do tiny projects (like short stories) in between. It also gives me space to really focus on the characters that you've come to love, rather than speeding past them like I tend to do in the fast-paced novels. I can cover a few of the background story elements I tried to cram into Emerald City Hunter, to make room for everything else.
Most importantly, I think this may bring back some of the "fun" to my writing process. Sandy needs a couple of monster-hunting romps, don't you think?
September 17, 2012
Ultimate Fantasy Escapism: Choose Your Race, Choose Your Class.
You're starting a new game. It may be a table-top RPG, or the latest MMORPG. You create a character.
Your very first choice: Race. You can be a human, elf, dwarf, halfling, orc, lizardman, or cat-person. Some games even offer different kinds of elves (light vs. dark elves), and in still others you can be mixed-race -- say half-elf.
Your choice isn't just cosmetic. Your race will provide you with a starter personality and an ethnic background you can expand upon. Based on your race, your character will be given inborn advantages and disadvanges: differences in intelligence, strength, dexterity, charm, health, and ability to buy and sell at a discount.
Next you choose gender, which usually provides no difference in gameplay, other than how cute the ass is you will be staring at for the next eighty hours.
Then you choose your class. Do you want to be a fighter, or thief? Monk or mage? Archer or knight? Will you rule your foes with magic or might? Your birthright is yours for the choosing.
Of course we know fantasy is escapism. The real question is: What are we escaping from? The doldrums of life, certainly. Who wouldn't want the chance, through hard work and many hours of rolling dice and clicking mice, to eventually become a king? Or a powerful mage? (Alongside thousands of our peers.) It's the perfect blend of aristocracy and meritocracy: A world ruled by invincible hereditary dominance, with all the upward mobility of modern society.
But is there something deeper we're escaping from? It has bothered me somewhat, as David Brin has put it well, that fantasy glorifies a non-existent golden age. A medieval time when benevolent kings and mages (aka religious priests) kept the kingdom in a perpetual state of peace so the happy farmers could live out their simple pastoral lives, never having to worry about rush hour, corporate mergers, and Manager Rob.
If only...
So what is it that attracts us to that specific time? Why the middle ages? Why not the Enlightenment, when the class system began to change and people began to demand freedom and equality? What is it about the values of one of the lowest points of Western Civilization, sandwiched between the glory of the Roman Empire and the Enlightenment, that attracts millions of fans?
Could it be those worlds are acting as a surrogate for something we all crave? Could the clues to this craving be in the very words we use to describe our first choices in character creation -- "race" and "class"?
Violence is another nasty little element we idolize in our entertainment. When we look at history, we realize why the past wasn't so idyllic. Violence has been a part of regular human experience of nearly every individual on earth until very recently. Men were sent to war not once a generation, but once a year, with cattle raids and such happening more frequently. Even in peacetime, dinner came from the pasture or the forest and it was something you had to kill and dress with your own hands. No one had to wonder if blood had a smell, because it was more than just a smudge of red pixels on your computer screen -- blood was simply a part of life.
Violence is written in our genes. Now that we are more civilized, we have a historical privilege we all take for granted. We rarely commit or are victims of violence. Fiction is our outlet. We give life to imaginary phantoms, only so we can take it away with the slash of a sword. We can watch death, read about it, and even act it out, in a way that hurts no one.
Likewise, tribalism is writ in our genes. Racism, classism, religious hate. There was a time when the majority of our ancestors believed there were tangible physical, moral, and spiritual differences between peoples of other races, cultures, and castes. People outside the familiar group were not human, they were "other". And those groups were generally very small, limited to families, tribes, small kingdoms, or local religions. Killing someone outside your group came easily and without regret. Like violence itself, these were survival tools in a world where letting go of limited resources or undefended territories could mean your death.
Here in the United States in 2012, we have new values to live by. These values are luxuries we enjoy in a world with abundant resources, and in part, we have abundant resources because of these values.
Among them:
All humans are created equal. All humans have the same capacity for achievement, regardless of gender, race, or class. The playing field should be level so that hard work can lead to success. We all deserve equal reward for equal effort.Those at the top who do not contribute should fall to make room for those who do contribute.
Not everyone holds these values. (Just go read the comments section on news articles and YouTube.) But they are our cultural standard. It is what we strive for.
We take for granted that even mere decades ago, majorities held opposite values. During those medieval times, races were considered fundamentally superior and inferior. Members of the upper class were divinely chosen by birth. Knowledge was reserved for those privileged enough to join the clergy. Enslaving others, be it through ownership or serfdom, was considered noble. Forcibly robbing whole nations of their cultures was thought to be an act of moral goodness.
As our society slowly outgrows our base instincts, we have replaced real hate with playful outlets. We've built political groups, religious factions, sports teams, and subcultures, and most of the time, tribalism is harmless. More or less.
Racism and classism still very much exist, even in "civilized" America, just as violence still exists. People still die because of their race, and upper classes still believe themselves better and use power to maintain position. We are always poised on the brink of some terrible mob-mentality disaster.
At heart, we are still tribal. "Us vs. Them" is wired in the very nature of the human spirit. It is manipulated by politicians and religious leaders to keep us committing guilt-free acts of violence, large and small, real and metaphorical, against other human beings.
The important thing is that our society now strives to overcome it. Our fiction reflects this: The "underdog" movie is ever popular. The little guy works hard, and in spite of the odds, in spite of the intolerance and hate directed at him, he rises to the top. This is our culture's idea of a happy ending.
Yet our culture makes violent films as well. An outlet. A way to pretend.
Unlike violence, depictions of justified hate can actually reinforce real hate. How can we feel the satisfaction of superiority, without it being at another's expense? How can we foster a sense of equality while at the same time, satisfy our intolerant urges?
We log in, we choose our race, we choose our gender, and we choose our class.
Oh, we may not realize it. We don't set out to play at racism anymore than we set out to commit play-violence. All we know is that it's fun to fight goblins and orcs and lizardmen. Everyone knows goblins are ugly and genetically inferior. They aren't human. We can kill them with glee, secure in the knowledge that they don't deserve to live. Secure in our knowledge that no one in the real world is hurt by our hate.
It's taken for granted that elves hate dwarves, and everyone justifyably hates goblins, and there's nothing wrong with that; no harm done. Dwarves can go on cracking elf jokes and having a good time, at no one's expense.
(That's not to say fantasy is entirely free from real-world parallels to existing cultures who are harmed by stereotypes. I frequently see culture appropriation that goes a little too far. Likewise, violence in media is not completely free from influencing violence in real life.)
We have the privilege to play at being underprivileged. If we decide we don't like life as an Asura Thief, because the Asura are too short and everyone thinks we look like children and we're big nerds, and we find out the life of a thief really stinks, we can start again, as a giant Norn guardian with a big sword, who doesn't have to take orders from anybody.
A new life and new destiny is just a re-roll away.
Most of the time, fantasy fiction is completely unaware of its own themes. Sometimes, much to my delight, a game or novel becomes aware, and uses uses fantasy intolerance to hold a mirror up to our society.
Dragon Age springs to mind. In this fantasy world, elves are considered inferior to all other races and have been segregated into "Orphanages". The game explores themes of racism and segregation. Most non-elves accept this reality. Some don't think it's fair. The elves themselves react sometimes passively, sometimes actively, and some have formed into groups to change things, sometimes using violent means. Your own character gets to make choices, and those choices have real consequences.
We play this game through our own culture's eyes. Unlike the dehumanized goblins of other games, where the world is bettered by the hated-group's demise, the elves have personalities. They are humanized. We know the elves' suffering is unjust.
Even when we commit genocidal acts against the elves, we know they are the "evil" choices, and we make them with a sick kind of glee, (just like when the game gives us violent and sadistic choices), because we are not allowed to feel that way in real life. Unlike our ancestors, we know these choices are wrong. And you get to see exactly how those choices play out.
Even when we're playing at being evil, we see how the virtual elves are hurt.
This can't be said of real-world hatred. Those who wrap themselves up in racism or religious hatred or other forms of tribalism, do not see their enemies as human. They see them as "the other". They feel no more moral crisis at the deaths of black people, or Mulsims, than I feel getting an achievement for slaughtering my 1,000th green-skinned goblin.
Fantasy gives us pretend racism and classism, and when we're done, we can return to our privileged and moral lives. I choose to see it for what it is, and rest easy knowing that, just as I wouldn't wield a sword against a real human being, I also wouldn't really want to live in a world where inequality, injustice, intolerance, and genocide are glorified.
Games provide an acceptable outlet for make-believe hate. And the more people who redirect their hatred away from real human beings, towards virtual races, the better.
Your very first choice: Race. You can be a human, elf, dwarf, halfling, orc, lizardman, or cat-person. Some games even offer different kinds of elves (light vs. dark elves), and in still others you can be mixed-race -- say half-elf.
Your choice isn't just cosmetic. Your race will provide you with a starter personality and an ethnic background you can expand upon. Based on your race, your character will be given inborn advantages and disadvanges: differences in intelligence, strength, dexterity, charm, health, and ability to buy and sell at a discount.
Next you choose gender, which usually provides no difference in gameplay, other than how cute the ass is you will be staring at for the next eighty hours.
Then you choose your class. Do you want to be a fighter, or thief? Monk or mage? Archer or knight? Will you rule your foes with magic or might? Your birthright is yours for the choosing.
Of course we know fantasy is escapism. The real question is: What are we escaping from? The doldrums of life, certainly. Who wouldn't want the chance, through hard work and many hours of rolling dice and clicking mice, to eventually become a king? Or a powerful mage? (Alongside thousands of our peers.) It's the perfect blend of aristocracy and meritocracy: A world ruled by invincible hereditary dominance, with all the upward mobility of modern society.
But is there something deeper we're escaping from? It has bothered me somewhat, as David Brin has put it well, that fantasy glorifies a non-existent golden age. A medieval time when benevolent kings and mages (aka religious priests) kept the kingdom in a perpetual state of peace so the happy farmers could live out their simple pastoral lives, never having to worry about rush hour, corporate mergers, and Manager Rob.
If only...
So what is it that attracts us to that specific time? Why the middle ages? Why not the Enlightenment, when the class system began to change and people began to demand freedom and equality? What is it about the values of one of the lowest points of Western Civilization, sandwiched between the glory of the Roman Empire and the Enlightenment, that attracts millions of fans?
Could it be those worlds are acting as a surrogate for something we all crave? Could the clues to this craving be in the very words we use to describe our first choices in character creation -- "race" and "class"?
Violence is another nasty little element we idolize in our entertainment. When we look at history, we realize why the past wasn't so idyllic. Violence has been a part of regular human experience of nearly every individual on earth until very recently. Men were sent to war not once a generation, but once a year, with cattle raids and such happening more frequently. Even in peacetime, dinner came from the pasture or the forest and it was something you had to kill and dress with your own hands. No one had to wonder if blood had a smell, because it was more than just a smudge of red pixels on your computer screen -- blood was simply a part of life.
Violence is written in our genes. Now that we are more civilized, we have a historical privilege we all take for granted. We rarely commit or are victims of violence. Fiction is our outlet. We give life to imaginary phantoms, only so we can take it away with the slash of a sword. We can watch death, read about it, and even act it out, in a way that hurts no one.
Likewise, tribalism is writ in our genes. Racism, classism, religious hate. There was a time when the majority of our ancestors believed there were tangible physical, moral, and spiritual differences between peoples of other races, cultures, and castes. People outside the familiar group were not human, they were "other". And those groups were generally very small, limited to families, tribes, small kingdoms, or local religions. Killing someone outside your group came easily and without regret. Like violence itself, these were survival tools in a world where letting go of limited resources or undefended territories could mean your death.
Here in the United States in 2012, we have new values to live by. These values are luxuries we enjoy in a world with abundant resources, and in part, we have abundant resources because of these values.
Among them:
All humans are created equal. All humans have the same capacity for achievement, regardless of gender, race, or class. The playing field should be level so that hard work can lead to success. We all deserve equal reward for equal effort.Those at the top who do not contribute should fall to make room for those who do contribute.
Not everyone holds these values. (Just go read the comments section on news articles and YouTube.) But they are our cultural standard. It is what we strive for.
We take for granted that even mere decades ago, majorities held opposite values. During those medieval times, races were considered fundamentally superior and inferior. Members of the upper class were divinely chosen by birth. Knowledge was reserved for those privileged enough to join the clergy. Enslaving others, be it through ownership or serfdom, was considered noble. Forcibly robbing whole nations of their cultures was thought to be an act of moral goodness.
As our society slowly outgrows our base instincts, we have replaced real hate with playful outlets. We've built political groups, religious factions, sports teams, and subcultures, and most of the time, tribalism is harmless. More or less.
Racism and classism still very much exist, even in "civilized" America, just as violence still exists. People still die because of their race, and upper classes still believe themselves better and use power to maintain position. We are always poised on the brink of some terrible mob-mentality disaster.
At heart, we are still tribal. "Us vs. Them" is wired in the very nature of the human spirit. It is manipulated by politicians and religious leaders to keep us committing guilt-free acts of violence, large and small, real and metaphorical, against other human beings.
The important thing is that our society now strives to overcome it. Our fiction reflects this: The "underdog" movie is ever popular. The little guy works hard, and in spite of the odds, in spite of the intolerance and hate directed at him, he rises to the top. This is our culture's idea of a happy ending.
Yet our culture makes violent films as well. An outlet. A way to pretend.
Unlike violence, depictions of justified hate can actually reinforce real hate. How can we feel the satisfaction of superiority, without it being at another's expense? How can we foster a sense of equality while at the same time, satisfy our intolerant urges?
We log in, we choose our race, we choose our gender, and we choose our class.
Oh, we may not realize it. We don't set out to play at racism anymore than we set out to commit play-violence. All we know is that it's fun to fight goblins and orcs and lizardmen. Everyone knows goblins are ugly and genetically inferior. They aren't human. We can kill them with glee, secure in the knowledge that they don't deserve to live. Secure in our knowledge that no one in the real world is hurt by our hate.
It's taken for granted that elves hate dwarves, and everyone justifyably hates goblins, and there's nothing wrong with that; no harm done. Dwarves can go on cracking elf jokes and having a good time, at no one's expense.
(That's not to say fantasy is entirely free from real-world parallels to existing cultures who are harmed by stereotypes. I frequently see culture appropriation that goes a little too far. Likewise, violence in media is not completely free from influencing violence in real life.)
We have the privilege to play at being underprivileged. If we decide we don't like life as an Asura Thief, because the Asura are too short and everyone thinks we look like children and we're big nerds, and we find out the life of a thief really stinks, we can start again, as a giant Norn guardian with a big sword, who doesn't have to take orders from anybody.
A new life and new destiny is just a re-roll away.
Most of the time, fantasy fiction is completely unaware of its own themes. Sometimes, much to my delight, a game or novel becomes aware, and uses uses fantasy intolerance to hold a mirror up to our society.
Dragon Age springs to mind. In this fantasy world, elves are considered inferior to all other races and have been segregated into "Orphanages". The game explores themes of racism and segregation. Most non-elves accept this reality. Some don't think it's fair. The elves themselves react sometimes passively, sometimes actively, and some have formed into groups to change things, sometimes using violent means. Your own character gets to make choices, and those choices have real consequences.
We play this game through our own culture's eyes. Unlike the dehumanized goblins of other games, where the world is bettered by the hated-group's demise, the elves have personalities. They are humanized. We know the elves' suffering is unjust.
Even when we commit genocidal acts against the elves, we know they are the "evil" choices, and we make them with a sick kind of glee, (just like when the game gives us violent and sadistic choices), because we are not allowed to feel that way in real life. Unlike our ancestors, we know these choices are wrong. And you get to see exactly how those choices play out.
Even when we're playing at being evil, we see how the virtual elves are hurt.
This can't be said of real-world hatred. Those who wrap themselves up in racism or religious hatred or other forms of tribalism, do not see their enemies as human. They see them as "the other". They feel no more moral crisis at the deaths of black people, or Mulsims, than I feel getting an achievement for slaughtering my 1,000th green-skinned goblin.
Fantasy gives us pretend racism and classism, and when we're done, we can return to our privileged and moral lives. I choose to see it for what it is, and rest easy knowing that, just as I wouldn't wield a sword against a real human being, I also wouldn't really want to live in a world where inequality, injustice, intolerance, and genocide are glorified.
Games provide an acceptable outlet for make-believe hate. And the more people who redirect their hatred away from real human beings, towards virtual races, the better.
August 31, 2012
Bathroom Bacon PAX (photo)
PAX Prime, 2010, Seattle, WAIt's blurry. It says "See the bacon. Catch the bacon."
August 20, 2012
DEFCON 20: The Coming Of Age
My first DEFCON began five summers ago, right after I met Roland. He told me in three weeks he'd be flying down to Vegas. I immediately knew what con he was talking about. I'd dreamed of attending since I'd first heard about it in the late 90s. I hadn't gone for two reasons: as a penny-pincher, I didn't like wasting my money on plane tickets, and... I didn't think I had any right to be there.
Awesome Track 1 Stage. Each bit is hanging in 3D.
A projector makes this interesting throughout the con.I couldn't have been more wrong on both counts. That was 2008, DEFCON 16. I flew down and I had a blast.
Now it's 2012, and the 20th DEFCON known to mankind. To put history into perspective, the first Defcon began right about the time the World Wide Web was being invented. It was before Yahoo, before Amazon, before blogs. It started during a time when terms like "email" and "download" were known only to a small minority of people, an extremely niche subculture. I remember that time, even if I do not remember the first Defcon.
Like every year, this con was bigger. Way bigger. I would estimate, based on badge sales rumors, that there were roughly 16-19,000 people total. (There were thankfully plenty of badges -- no one went home with a paper badge). And not only did I feel like I belonged, I felt like a veteran.
Almost everyone I talked to said this was their first Defcon. When speakers asked for shows of hands, about 40% of the hands went up. This was a Defcon of newbies. Welcome n00bs.
The theme for me this year is a lesson that has been slowly dawning on me for the past half-decade. It's a lesson that applies to all areas of life: Hacking is Doing. The winners, leaders, experts, and elite in life are those who simply DO. Life isn't High Fantasy. No one is born The Chosen One. Magic powers aren't something you're born with.
Destiny is guided by doers. Not even by people who decide they want to be good at something -- but people who decide they want to learn. People who want to play. People who take a little time to do more than simply consume. Those who make something. There is no certification for cool. There is no pay-wall, and all l33tist clique-barriers are social illusions -- merely games played by doers.
Fun facts: They let anyone into Defcon. And you can be a hacker, too.
Want to be an expert at crypto? Go solve some puzzles. Want to learn about application security hands-on? There's an app for that. Want to play at being a hacker, or even become an expert? If you have a mind for wiggling through cracks -- and if you're interested, it means you have a mind for it -- then go get it. There are some links, and you've got Google. No time has ever been easier.
The field is wide open. I don't work in IT anymore, but if I did, I'd head straight for a job in infosec. Unemployment is less than one percent. You do not have to be Uber to be useful in this field. Pen Testing is about finding low-hanging fruit -- the obvious numb-headed simple security flaws that anyone could find, if organizations gave a crap and bothered to hire you. If I wasn't focusing on this writing career, I'd go immediately into that field. And I'd be damn good at it. Even though I'm a newb. All it takes is a driving curiosity and an passion for peering inside closed boxes.
Did I mention Defcon is inspiring? It was especially inspiring this year.
Lost preached the "Just Do Things" message every time he had a mic in front of him. As I said, it's a lesson life has been slowly teaching me, and Lost is a perfect example of this. As he tells it, he came to Defcon not that long ago as a newbie and immediately involved himself. He started up a robot building party in one of the rooms and gathered lots of people. He made himself official. Simply by doing. Now he's one of the "Elite", and his point, which he drove home over and over is: You should just go do things, too.
All DEFCON Badges Designers are born with a special birthmark,
proving their magical birthright from the gods.
(Not really.)While I made a lengthy critique of the badge puzzle this year, the lasting message is that there was a badge puzzle this year. Because Lost went and did it. Not only that, but even though I made no progress on solving it, it rekindled my interest in puzzles for the second year in a row. Three weeks after Defcon I'm still rabidly chasing puzzles. I'm playing The Secret World because it has puzzles (and we are introducing two of our kids to the same joy). I'm casually poking at TryThis0ne when I get time. And I've started playing text adventures again, something I've not seriously done since I was 12. (A Scott Adams girl here.) My mind is filling with ideas for puzzle games that I could write, and even though I know I won't have time to actually do them, the energy is spilling into my other work.
Everything cool at Defcon exists because someone just up and did it. From the electronic badges to the lockpicking village to each of the talks to the contest winners. To the existence of Defcon itself. People who are cool at Defcon are people who do. There is no certification program, no minimum level of knowledge, and even the most expert black-badge CTF winner uber hacker still doesn't know some of the things you know, and is missing talents you possess. It took me five Defcons to truly figure this out, so listen up.
Your brain is awesome, and it will grow to fill the requests you make of it. A positive action is a butterfly wing-flap. Not only can it cause awesome weather all over the world in places you never would have expected, but the workout builds the muscles in your wings until you become a mighty dragon. Yeah, it's a cheesy metaphor, but I'm the one writing it... If you don't like it, go write your own metaphor. That's the whole point of this rant.
I'd like to especially stress this message to women, who are more likely to wait to be given permission. Don't wait till you're in your 30's to learn this lesson like I did, and if you're in or past your 30s? Now is the best time to start doing. If you need permission, here you go. Permission granted, achievement unlocked, go do something.
This authentic WWII Enigma Machine was made by doers! Go make something!So this year I'm going to focus more on doing. I'm not going to worry about whether I'm qualified, or whether it will be cool. I won't worry who the gatekeepers are, or if I'm smart enough to get very far, or if I might get tired and give up at some point. I will not worry about any end-game. I will just do what I find interesting and what will make me feel smarter when I'm finished.
DEFCON 20 was far more diverse. As I said, lots of first-timers. Sadly, accessibility comes at a cost. The past two Defcons have been far more tame. My first couple of Defcons, the twitter stream and rumor mills were full of exciting stories, and it was a bit of a game to anticipate hearing about the next antic. The next prank, the next rumor of an arrest, the next hacked hotel facility, the next killer bee attack. Of course every other story left us wondering if Defcon would be kicked out of the Riv.
This year? I can't think of much that happened. Not much at all, actually. At least last year Sabu and the J3st3r were chasing each other around, and the phones got man-in-the-middled.
The downside of course is less excitement. But less excitement equals less fear, and that's a beautiful upside! The amazing feats this year seemed to be constructive, and that is something I can get behind. Most notable, Ninja Networks built their own phone network and distributed special smart phones for those deemed l33t enough. That's a trend I can support, and I'll just have to be grateful I got to experience the last few years of the wild-west-style DEFCON.
The Goons did an excellent job of Line Management this year. Though I got in line at peak hours, I only had to stand there for about an hour. I'd guess there were at least 3,000 people ahead of me. And the line didn't block the hall. For the most part, (with one exception), I did not find myself stuck in a between-panel hallway traffic jam. I was allowed to sit in the same track across multiple talks, and there was (almost) always enough seating. So very huge kudos to all those who pulled off that amazing social engineering hack.
Goon attitudes were definitely awesome this year. It's not like the Goons ever sucked... I can't quite put my finger on it, but the Goons seemed more upbeat, and less... bossy? More fun-loving? Less oppressive? Dunno what you guys did, but it was a joy to be ordered around by you guys this year.
On that same token, Defcon seemed like a better experience for women this year. I've heard some pretty horrific stories, and like many geek cons, DEFCON has a reputation. Personally, I've been protected from a lot of it since I attend every year with Roland. But I've seen my share of sexist remarks in talks, and there was one incident last year involving Goons I thought worthy of filing a complaint over.
Yes, there were sexist remarks this year in talks and in hall-conversations. But the culture made a definite shift in a positive direction. Partly I'm sure due to official efforts, but also due to attendees taking action. (See above about "doing".) An attendee named KC distributed creeper cards, which brought awareness to the whole concept of sexual harassment, which seemed to have a huge overall effect. In one talk, one of the Core Goons said something rather inappropriate to a woman asking a question at the microphone. Instead of laughing, the audience groaned, and someone suggested he get a creeper card.
In general, sexist remarks (like tired jokes about being surprised there are any women in the room) met with very little reward. So I expect next years Defcon to be a much more friendly environment for women. Which is a good thing, because I saw more women as a percentage at Defcon this year than ever before. It helps that there are a number of female Core Goons, including Nikita, who can give a female voice in the upper echelons. I am grateful for their hard work.
DEFCON Kids was growing up this year, too. It makes me wish I could be a Defcon kid. One of the most impressive things is that they have a Zero Day contest, in which kids find actual zero days in actual live systems, like online games. I didn't write down the number, but this year they collectively found dozens of zero days. We're talking twelve-year-olds here. Just like it was in the late 80's, only now the adults are teaching them how to do it. So awesome.
This year was the second at the Rio, and I think I missed the Riviera more than ever. Every time I had a Defcon memory, it was set at the Riv, and I looked around to find myself in a different place.
I got to see way more talks this year than last. The talks seemed to lean more technical, and since I'm not in the field anymore, I'm more interested in higher-level talks. Things like theory and the state of global cyberwarfare and lock picking exploits and biohacking. Talks on the five newly discovered SQL Injection Techniques with play-by-play how-tos aren't really useful to me. So in a sense, the talks weren't much for me to write home about. I probably managed to miss some really good talks, but there you go. I'll highlight the ones that stood out.
Obviously the keynote by General Alexander, Commander, U.S. Cyber Command, Director, National Security Agency, is worth commenting on. I had mixed feelings about his talk.
I love the fact that the NSA and hacker communities are finally on speaking terms. I've read Crypto: How The Rebels Beat the Government Saving Privacy in the Digital Age, and understand the historical context. The NSA fought every effort to bring encryption technology to the private sector, where it was sorely needed. Remember when you couldn't export Netscape because of SSL? Thank the NSA for that. A lot of our core technologies like email and DNS are fundamentally non-secure for lots of reasons, but a big one is that the private and academic sectors had no access to cryptography, on threat of arrest.
So to see the NSA finally "getting it" on some level was amazing. And to hear the head of the NSA agreeing with the hacker community on many levels was like Javert telling Jean Valjean that maybe the system was a little corrupt, and perhaps Valjean should be pardoned.
On the flip side, some other things he said made it very clear that the fundamental philosophies of the NSA are still quintessentially opposed to the philosophies of the hacker community. So while the two groups are agreeing on a lot of the higher concepts, their root reasoning is still at odds. For instance, after acknowledging that many things which shouldn't have been illegal are now legal thanks to hackers, he then made it very clear that all attempts to improve security should only be done above ground, within the legal sphere.
At its core, the Feds are still Javert. They don't get that sometimes the law is fundamentally flawed, and that the only way to change those laws is to continually act against them to prove how flawed they are. If it weren't for lawbreakers, we'd still be at 1980's level security, and encryption and the internet would be owned by true criminals. (One could argue that this is actually the case.)
So his talk really rubbed me the wrong way. The Feds are still the Feds. Don't get me wrong -- hackers should absolutely go work for the NSA. For starters, your country needs you. For seconders, their philosophies aren't going to change without more of our culture on the inside. Like last year, I still hold that the community should take advantage of these olive branches. Get to work.
I also got to see an unscheduled talk by Kevin Mitnick in the Social Engineering room. I'd always wanted to watch the Social Engineering contest, so when I had a moment, I wandered over. Nothing much was going on, so I parked, waiting for the next round to start. Soon it was announced that Mitnick would be there, and the room filled right up. I had third-row seats, and got to listen to a lot of stories about Back In The Day.
I knew a lot of hackers Back In The Day. They traded Zero Days and hacked payphones and cracked games and ran elite boards. When the "Free Mitnick" campaign started, the hardcore hackers criticized Mitnick, saying he was merely a social engineer, and anyone can pick up a phone and steal a password.
I'm sorry, but those guys were wrong. Mitnick had to know what he was talking about to call up software companies and get copies of source code. He used a lot of technical hacks to secure social engineering hacks, and to be honest, he was far more hardcore that most of the tech-only hackers I knew. He wasn't just hacking servers, he was hacking every single system he could get his hands on. Including social systems.
And frankly, he deserved to get arrested. Though a lot of the charges against him were trumped up, he committed a number of real crimes. Nevertheless, his stories were very cool, and he was clearly a pioneer in this field. If you ever get a chance to hear him speak, go take a listen. You will learn more about the hows and whys of security than anywhere else.
I watched three social engineering contest rounds. The contest works like this: Contestants are give a list of 20 "flags" they have to capture. Examples: What OS and browser version are you using? Is it kept updated? Who is your shipping vendor? Do you have a cafeteria?
Contestants are placed in a sound-proof booth and are assigned a company to attack. The moderator does all the dialing, and the audience can listen to the caller and the callee.
I learned so much from watching this. The first guy called HP Sales, and claimed to be a new art student. He played dumb about computers, which not only made for a hilarious conversation, but he also managed to capture most of the flags. I started to get an inkling what kind of information is important to a hacker, and combined with Mitnick's talk, I could easily see why. Why would you want to know their shipping provider? Well if you wanted physical access to the building, you might want to dress up as the UPS guy. If you wanted to send a Trojan, you might want to know what exploits would work, so it would be good to know OS version and the type of anti-virus software.
The third guy was also interesting. They gave him AT&T, which is notoriously difficult to sosh, and I quickly learned why. He called a local retail store, and used an interesting (and entertaining) meta tactic. He had done a lot of research ahead of time, which as Mitnick's stories proved, is very important because it makes you appear convincing. He told her he was from internal security, and that the DEFCON hacker convention was going on, and they were doing social engineering contests, and for some reason, her store was on a list. As an audience, we had to suppress our reactions to maintain silence, but inside I was dying of laughter. It really doesn't get much more meta than that.
At first his strategy seemed to be working, but at some point she just clammed up. She was well-trained, and about the time he started asking about their operating system, her red flags started waving. She played it really cool and refused to answer his questions, or if she did, she did so vaguely. I was very impressed. The contestant's technique was probably too pushy, and he talked too much, but either way, it was obvious AT&T security had done its job on training.
So he tried again, to another store. The guy he got started out pretty quiet, but after a while, out comes a fair amount of information. Which goes to prove that security is only as strong as the weakest link. And there will always be weak links, so the best route is to try to cover every single angle as best as you can.
I also learned about how innocent-seeming information can be leveraged. If you're attending Defcon in the future, definitely check out this event.
I also saw the talk by Kevin Poulsen. I remembered the article from Wired in 1999, which I re-read every few years. Poulsen describes his exit from prison in 1996. He went in in 1991, when BBSes reigned and the Internet was only available to academics and hackers. I nearly cried every time I read his description of stepping out of jail and looking up at a billboard with URL printed on it. When he went in, the web hadn't even been invented, and just five years later, mainstream advertisements were sending people to websites. If you're interested in computer history at all, it's an article well-worth reading.
Like Mitnick's talk, Poulsen's was entertaining and old school and I learned that Poulsen was arrested for very good reason. He'd definitely crossed that line from hacker to con man, and stole real money and property using some pretty ingenious schemes. (As an aside, this Unsolved Mysteries episode made while Poulsen was still a fugitive is a beautiful bit of history.)
The parties were pretty great this year, and the Crystal Method concert totally rocked. Roland and I danced ballroom style. I remember at one point, standing there awash in music and joy and marvel, thinking of my 16 year old Mormon self, with my first modem, logging onto BBSes. I imagined how I would explain any of this life to her. She was so very, very different from who I am now. Although I am just now rediscovering how cool she was, too, and that's the person I'm uncovering as I do all these puzzles.
Like last year, I entered the Short Story Contest this year. And I was given an opportunity to do a reading at the Forum Meetup. I read my entry, "Where the Eye Lacks Message", to a small crowd of about ten people. I hadn't prepared, other than a couple of practice readings in the room, and I didn't have a handy printout with underlines like I did at my Wayward Reading. But I found reading from my smart phone to be almost as good, and perhaps in some ways, better. Someone else decided to do a reading as well, and I really enjoyed it. I wouldn't mind if DEFCON made this a "thing", but even if it just stays a small impromptu deal in a side-room, I would totally repeat the experience.
My story was a paranoid conspiracy adventure based on last year's badge contest. So it was really thrilling when Lost bumped into me in the hall and said he liked it. As I said, recognition is all about the doing.
DEFCON always makes me look at the world in a different way, and on the last day, we saw this at the Carnival World Buffet:
Defcon 20 is closed.
This ATM is WIDE OPEN.This is an ATM. It accepts money. Including cash. If you're new to computer security, you might wonder why this is interesting... after all, there is no keyboard attached. But even a little vague information is necessary for a good hack, and here I learned lots of specific information. Including what kind of financial processing software it uses (which would tell me what ports to scan on a network to find this machine), and something even more damning: It's running VNC, which could allow an attacker to remotely connect to the full desktop. I hope they got that thing fixed... but probably they didn't.
This year was the best DEFCON I've attended. It's a great place for learning and doing and meeting, I'm looking forward to seeing you there next year, when DEFCON turns 21 and will finally be old enough to drink!
Awesome Track 1 Stage. Each bit is hanging in 3D.A projector makes this interesting throughout the con.I couldn't have been more wrong on both counts. That was 2008, DEFCON 16. I flew down and I had a blast.
Now it's 2012, and the 20th DEFCON known to mankind. To put history into perspective, the first Defcon began right about the time the World Wide Web was being invented. It was before Yahoo, before Amazon, before blogs. It started during a time when terms like "email" and "download" were known only to a small minority of people, an extremely niche subculture. I remember that time, even if I do not remember the first Defcon.
Like every year, this con was bigger. Way bigger. I would estimate, based on badge sales rumors, that there were roughly 16-19,000 people total. (There were thankfully plenty of badges -- no one went home with a paper badge). And not only did I feel like I belonged, I felt like a veteran.
Almost everyone I talked to said this was their first Defcon. When speakers asked for shows of hands, about 40% of the hands went up. This was a Defcon of newbies. Welcome n00bs.
The theme for me this year is a lesson that has been slowly dawning on me for the past half-decade. It's a lesson that applies to all areas of life: Hacking is Doing. The winners, leaders, experts, and elite in life are those who simply DO. Life isn't High Fantasy. No one is born The Chosen One. Magic powers aren't something you're born with.
Destiny is guided by doers. Not even by people who decide they want to be good at something -- but people who decide they want to learn. People who want to play. People who take a little time to do more than simply consume. Those who make something. There is no certification for cool. There is no pay-wall, and all l33tist clique-barriers are social illusions -- merely games played by doers.
Fun facts: They let anyone into Defcon. And you can be a hacker, too.
Want to be an expert at crypto? Go solve some puzzles. Want to learn about application security hands-on? There's an app for that. Want to play at being a hacker, or even become an expert? If you have a mind for wiggling through cracks -- and if you're interested, it means you have a mind for it -- then go get it. There are some links, and you've got Google. No time has ever been easier.
The field is wide open. I don't work in IT anymore, but if I did, I'd head straight for a job in infosec. Unemployment is less than one percent. You do not have to be Uber to be useful in this field. Pen Testing is about finding low-hanging fruit -- the obvious numb-headed simple security flaws that anyone could find, if organizations gave a crap and bothered to hire you. If I wasn't focusing on this writing career, I'd go immediately into that field. And I'd be damn good at it. Even though I'm a newb. All it takes is a driving curiosity and an passion for peering inside closed boxes.
Did I mention Defcon is inspiring? It was especially inspiring this year.
Lost preached the "Just Do Things" message every time he had a mic in front of him. As I said, it's a lesson life has been slowly teaching me, and Lost is a perfect example of this. As he tells it, he came to Defcon not that long ago as a newbie and immediately involved himself. He started up a robot building party in one of the rooms and gathered lots of people. He made himself official. Simply by doing. Now he's one of the "Elite", and his point, which he drove home over and over is: You should just go do things, too.
All DEFCON Badges Designers are born with a special birthmark, proving their magical birthright from the gods.
(Not really.)While I made a lengthy critique of the badge puzzle this year, the lasting message is that there was a badge puzzle this year. Because Lost went and did it. Not only that, but even though I made no progress on solving it, it rekindled my interest in puzzles for the second year in a row. Three weeks after Defcon I'm still rabidly chasing puzzles. I'm playing The Secret World because it has puzzles (and we are introducing two of our kids to the same joy). I'm casually poking at TryThis0ne when I get time. And I've started playing text adventures again, something I've not seriously done since I was 12. (A Scott Adams girl here.) My mind is filling with ideas for puzzle games that I could write, and even though I know I won't have time to actually do them, the energy is spilling into my other work.
Everything cool at Defcon exists because someone just up and did it. From the electronic badges to the lockpicking village to each of the talks to the contest winners. To the existence of Defcon itself. People who are cool at Defcon are people who do. There is no certification program, no minimum level of knowledge, and even the most expert black-badge CTF winner uber hacker still doesn't know some of the things you know, and is missing talents you possess. It took me five Defcons to truly figure this out, so listen up.
Your brain is awesome, and it will grow to fill the requests you make of it. A positive action is a butterfly wing-flap. Not only can it cause awesome weather all over the world in places you never would have expected, but the workout builds the muscles in your wings until you become a mighty dragon. Yeah, it's a cheesy metaphor, but I'm the one writing it... If you don't like it, go write your own metaphor. That's the whole point of this rant.
I'd like to especially stress this message to women, who are more likely to wait to be given permission. Don't wait till you're in your 30's to learn this lesson like I did, and if you're in or past your 30s? Now is the best time to start doing. If you need permission, here you go. Permission granted, achievement unlocked, go do something.
This authentic WWII Enigma Machine was made by doers! Go make something!So this year I'm going to focus more on doing. I'm not going to worry about whether I'm qualified, or whether it will be cool. I won't worry who the gatekeepers are, or if I'm smart enough to get very far, or if I might get tired and give up at some point. I will not worry about any end-game. I will just do what I find interesting and what will make me feel smarter when I'm finished.DEFCON 20 was far more diverse. As I said, lots of first-timers. Sadly, accessibility comes at a cost. The past two Defcons have been far more tame. My first couple of Defcons, the twitter stream and rumor mills were full of exciting stories, and it was a bit of a game to anticipate hearing about the next antic. The next prank, the next rumor of an arrest, the next hacked hotel facility, the next killer bee attack. Of course every other story left us wondering if Defcon would be kicked out of the Riv.
This year? I can't think of much that happened. Not much at all, actually. At least last year Sabu and the J3st3r were chasing each other around, and the phones got man-in-the-middled.
The downside of course is less excitement. But less excitement equals less fear, and that's a beautiful upside! The amazing feats this year seemed to be constructive, and that is something I can get behind. Most notable, Ninja Networks built their own phone network and distributed special smart phones for those deemed l33t enough. That's a trend I can support, and I'll just have to be grateful I got to experience the last few years of the wild-west-style DEFCON.
The Goons did an excellent job of Line Management this year. Though I got in line at peak hours, I only had to stand there for about an hour. I'd guess there were at least 3,000 people ahead of me. And the line didn't block the hall. For the most part, (with one exception), I did not find myself stuck in a between-panel hallway traffic jam. I was allowed to sit in the same track across multiple talks, and there was (almost) always enough seating. So very huge kudos to all those who pulled off that amazing social engineering hack.
Goon attitudes were definitely awesome this year. It's not like the Goons ever sucked... I can't quite put my finger on it, but the Goons seemed more upbeat, and less... bossy? More fun-loving? Less oppressive? Dunno what you guys did, but it was a joy to be ordered around by you guys this year.
On that same token, Defcon seemed like a better experience for women this year. I've heard some pretty horrific stories, and like many geek cons, DEFCON has a reputation. Personally, I've been protected from a lot of it since I attend every year with Roland. But I've seen my share of sexist remarks in talks, and there was one incident last year involving Goons I thought worthy of filing a complaint over.
Yes, there were sexist remarks this year in talks and in hall-conversations. But the culture made a definite shift in a positive direction. Partly I'm sure due to official efforts, but also due to attendees taking action. (See above about "doing".) An attendee named KC distributed creeper cards, which brought awareness to the whole concept of sexual harassment, which seemed to have a huge overall effect. In one talk, one of the Core Goons said something rather inappropriate to a woman asking a question at the microphone. Instead of laughing, the audience groaned, and someone suggested he get a creeper card.
In general, sexist remarks (like tired jokes about being surprised there are any women in the room) met with very little reward. So I expect next years Defcon to be a much more friendly environment for women. Which is a good thing, because I saw more women as a percentage at Defcon this year than ever before. It helps that there are a number of female Core Goons, including Nikita, who can give a female voice in the upper echelons. I am grateful for their hard work.
DEFCON Kids was growing up this year, too. It makes me wish I could be a Defcon kid. One of the most impressive things is that they have a Zero Day contest, in which kids find actual zero days in actual live systems, like online games. I didn't write down the number, but this year they collectively found dozens of zero days. We're talking twelve-year-olds here. Just like it was in the late 80's, only now the adults are teaching them how to do it. So awesome.
This year was the second at the Rio, and I think I missed the Riviera more than ever. Every time I had a Defcon memory, it was set at the Riv, and I looked around to find myself in a different place.
I got to see way more talks this year than last. The talks seemed to lean more technical, and since I'm not in the field anymore, I'm more interested in higher-level talks. Things like theory and the state of global cyberwarfare and lock picking exploits and biohacking. Talks on the five newly discovered SQL Injection Techniques with play-by-play how-tos aren't really useful to me. So in a sense, the talks weren't much for me to write home about. I probably managed to miss some really good talks, but there you go. I'll highlight the ones that stood out.
Obviously the keynote by General Alexander, Commander, U.S. Cyber Command, Director, National Security Agency, is worth commenting on. I had mixed feelings about his talk.
I love the fact that the NSA and hacker communities are finally on speaking terms. I've read Crypto: How The Rebels Beat the Government Saving Privacy in the Digital Age, and understand the historical context. The NSA fought every effort to bring encryption technology to the private sector, where it was sorely needed. Remember when you couldn't export Netscape because of SSL? Thank the NSA for that. A lot of our core technologies like email and DNS are fundamentally non-secure for lots of reasons, but a big one is that the private and academic sectors had no access to cryptography, on threat of arrest.
So to see the NSA finally "getting it" on some level was amazing. And to hear the head of the NSA agreeing with the hacker community on many levels was like Javert telling Jean Valjean that maybe the system was a little corrupt, and perhaps Valjean should be pardoned.
On the flip side, some other things he said made it very clear that the fundamental philosophies of the NSA are still quintessentially opposed to the philosophies of the hacker community. So while the two groups are agreeing on a lot of the higher concepts, their root reasoning is still at odds. For instance, after acknowledging that many things which shouldn't have been illegal are now legal thanks to hackers, he then made it very clear that all attempts to improve security should only be done above ground, within the legal sphere.
At its core, the Feds are still Javert. They don't get that sometimes the law is fundamentally flawed, and that the only way to change those laws is to continually act against them to prove how flawed they are. If it weren't for lawbreakers, we'd still be at 1980's level security, and encryption and the internet would be owned by true criminals. (One could argue that this is actually the case.)
So his talk really rubbed me the wrong way. The Feds are still the Feds. Don't get me wrong -- hackers should absolutely go work for the NSA. For starters, your country needs you. For seconders, their philosophies aren't going to change without more of our culture on the inside. Like last year, I still hold that the community should take advantage of these olive branches. Get to work.
I also got to see an unscheduled talk by Kevin Mitnick in the Social Engineering room. I'd always wanted to watch the Social Engineering contest, so when I had a moment, I wandered over. Nothing much was going on, so I parked, waiting for the next round to start. Soon it was announced that Mitnick would be there, and the room filled right up. I had third-row seats, and got to listen to a lot of stories about Back In The Day.
I knew a lot of hackers Back In The Day. They traded Zero Days and hacked payphones and cracked games and ran elite boards. When the "Free Mitnick" campaign started, the hardcore hackers criticized Mitnick, saying he was merely a social engineer, and anyone can pick up a phone and steal a password.
I'm sorry, but those guys were wrong. Mitnick had to know what he was talking about to call up software companies and get copies of source code. He used a lot of technical hacks to secure social engineering hacks, and to be honest, he was far more hardcore that most of the tech-only hackers I knew. He wasn't just hacking servers, he was hacking every single system he could get his hands on. Including social systems.
And frankly, he deserved to get arrested. Though a lot of the charges against him were trumped up, he committed a number of real crimes. Nevertheless, his stories were very cool, and he was clearly a pioneer in this field. If you ever get a chance to hear him speak, go take a listen. You will learn more about the hows and whys of security than anywhere else.
I watched three social engineering contest rounds. The contest works like this: Contestants are give a list of 20 "flags" they have to capture. Examples: What OS and browser version are you using? Is it kept updated? Who is your shipping vendor? Do you have a cafeteria?
Contestants are placed in a sound-proof booth and are assigned a company to attack. The moderator does all the dialing, and the audience can listen to the caller and the callee.
I learned so much from watching this. The first guy called HP Sales, and claimed to be a new art student. He played dumb about computers, which not only made for a hilarious conversation, but he also managed to capture most of the flags. I started to get an inkling what kind of information is important to a hacker, and combined with Mitnick's talk, I could easily see why. Why would you want to know their shipping provider? Well if you wanted physical access to the building, you might want to dress up as the UPS guy. If you wanted to send a Trojan, you might want to know what exploits would work, so it would be good to know OS version and the type of anti-virus software.
The third guy was also interesting. They gave him AT&T, which is notoriously difficult to sosh, and I quickly learned why. He called a local retail store, and used an interesting (and entertaining) meta tactic. He had done a lot of research ahead of time, which as Mitnick's stories proved, is very important because it makes you appear convincing. He told her he was from internal security, and that the DEFCON hacker convention was going on, and they were doing social engineering contests, and for some reason, her store was on a list. As an audience, we had to suppress our reactions to maintain silence, but inside I was dying of laughter. It really doesn't get much more meta than that.
At first his strategy seemed to be working, but at some point she just clammed up. She was well-trained, and about the time he started asking about their operating system, her red flags started waving. She played it really cool and refused to answer his questions, or if she did, she did so vaguely. I was very impressed. The contestant's technique was probably too pushy, and he talked too much, but either way, it was obvious AT&T security had done its job on training.
So he tried again, to another store. The guy he got started out pretty quiet, but after a while, out comes a fair amount of information. Which goes to prove that security is only as strong as the weakest link. And there will always be weak links, so the best route is to try to cover every single angle as best as you can.
I also learned about how innocent-seeming information can be leveraged. If you're attending Defcon in the future, definitely check out this event.
I also saw the talk by Kevin Poulsen. I remembered the article from Wired in 1999, which I re-read every few years. Poulsen describes his exit from prison in 1996. He went in in 1991, when BBSes reigned and the Internet was only available to academics and hackers. I nearly cried every time I read his description of stepping out of jail and looking up at a billboard with URL printed on it. When he went in, the web hadn't even been invented, and just five years later, mainstream advertisements were sending people to websites. If you're interested in computer history at all, it's an article well-worth reading.
Like Mitnick's talk, Poulsen's was entertaining and old school and I learned that Poulsen was arrested for very good reason. He'd definitely crossed that line from hacker to con man, and stole real money and property using some pretty ingenious schemes. (As an aside, this Unsolved Mysteries episode made while Poulsen was still a fugitive is a beautiful bit of history.)
The parties were pretty great this year, and the Crystal Method concert totally rocked. Roland and I danced ballroom style. I remember at one point, standing there awash in music and joy and marvel, thinking of my 16 year old Mormon self, with my first modem, logging onto BBSes. I imagined how I would explain any of this life to her. She was so very, very different from who I am now. Although I am just now rediscovering how cool she was, too, and that's the person I'm uncovering as I do all these puzzles.
Like last year, I entered the Short Story Contest this year. And I was given an opportunity to do a reading at the Forum Meetup. I read my entry, "Where the Eye Lacks Message", to a small crowd of about ten people. I hadn't prepared, other than a couple of practice readings in the room, and I didn't have a handy printout with underlines like I did at my Wayward Reading. But I found reading from my smart phone to be almost as good, and perhaps in some ways, better. Someone else decided to do a reading as well, and I really enjoyed it. I wouldn't mind if DEFCON made this a "thing", but even if it just stays a small impromptu deal in a side-room, I would totally repeat the experience.
My story was a paranoid conspiracy adventure based on last year's badge contest. So it was really thrilling when Lost bumped into me in the hall and said he liked it. As I said, recognition is all about the doing.
DEFCON always makes me look at the world in a different way, and on the last day, we saw this at the Carnival World Buffet:
Defcon 20 is closed.This ATM is WIDE OPEN.This is an ATM. It accepts money. Including cash. If you're new to computer security, you might wonder why this is interesting... after all, there is no keyboard attached. But even a little vague information is necessary for a good hack, and here I learned lots of specific information. Including what kind of financial processing software it uses (which would tell me what ports to scan on a network to find this machine), and something even more damning: It's running VNC, which could allow an attacker to remotely connect to the full desktop. I hope they got that thing fixed... but probably they didn't.
This year was the best DEFCON I've attended. It's a great place for learning and doing and meeting, I'm looking forward to seeing you there next year, when DEFCON turns 21 and will finally be old enough to drink!
August 17, 2012
A Hint of Emerald City Hunter (photo)
The below photo is from one of the settings in my work in progress, Emerald City Hunter. Can you guess where in Seattle it is?
Somewhere in Seattle, WA
Somewhere in Seattle, WA
August 10, 2012
PAX Beholder (photo)
PAX Prime, 2008, Seattle, WAWhen your head is in the mouth of the Beholder.
August 6, 2012
DEFCON 20: The Badge Contest
DEFCON 20 = Best Defcon Evar. For me at least.
This post is about the Badge Contest. I also plan to write about the rest of the con, like how my reading went, the amazing parties, and the surprise talk by Kevin Mitnick I was lucky enough to catch.
Last year Roland and I spent a lot of time distracted by the first annual badge challenge. I wrote about it here. This year, I knew there would be another contest, and I debated whether I wanted to obsess over clues and miss a lot of talks. I figured I'd play it by ear.
We did end up playing around with the badge challenge for a while... and we made zero progress in the first two days. None. Not a budge. We decrypted one very simple newbie puzzle, which was just a clue to a real puzzle, and that's it.
This year's challenge was much, much harder. Not a casual game, but hardcore mode. The bar was frankly too high for amateur solvers. We didn't expect to win this year. After all, we're newbies. But we did expect to get past the first level.
So unfortunately, this post is going to be more of a critique than a write-up of puzzle details. It breaks my heart, because I know Lost puts his soul into giving people a good experience. He's made it clear that he does not want to overly frustrate and that he wants to encourage everyone to participate. Lost fills many, many shoes at the con, and I appreciate all he does. Defcon was truly awesomesauce this year, and I'm sure a lot of that was due to his efforts.
However I'm a big believer in constructive critique, and in transparency, so here is a rundown of the frustrations that we experienced. For actual detailed write-ups of the clues, there are two: 1o57.wikispaces.com and elegin.com.
I arrived at Defcon on Thursday while Roland was still at BlackHat at Caesars Palace. The news came pretty fast that we'd have to do some electronic badge hacks in order to solve the puzzle. That intimidated me, and I almost decided to enjoy Defcon without the added distraction...
Then I found myself in the greater rotunda, staring at the numbers and the symbols, and I was hooked. As with last year, I whipped out the notebook and started writing everything down. Started taking pictures. Started basic cryptanalysis. For example, I immediately noticed the numbers in the greater rotunda were 1-26, so it was some kind of substitution cipher. So far so good.
Then Roland arrived and we went at it for a few hours. We had piles of crypto and clues, from the program, from the lanyards, from the badges, from the Defcon DVD, from other attendees, from around the con. And...
We got nowhere.
Lost's Twitter hints weren't helpful. Some of them were things we'd already gathered from the Badge Talk or other sources. Like that we needed all three lanyards. That we needed to use Quick Fox (the pangram clue already told us that). Other tweets only added to the pile of data we had, with no arrows as to how to apply any of it. At one point, based on a Tweet, we started trying to apply Rail Fence to all the codes, which was another big time waster.
Lost hinted at the hall signs, but I saw nothing. Part of the problem was my mistaken assumption, based on last year's example, that all the signs were the same (so I only checked a couple of signs). The other issue is that the special signs were stolen at some point, so it would have been impossible to notice them. We had one of the sign codes from the DVD, but not the other two.
From a game design perspective, the first layer of puzzles was too hard and gave no encouraging breakthroughs. Had we managed to unlock the second layer, it would have been easier, with lots of carrots. The write-ups describe several URLs (unlocked by solving the difficult first layer puzzles) containing simple reversed-letter strings. Easy-sauce. Accessible. (What to do with them would have been the challenging part.)
If the goal of the game is to get everyone involved, you have to make the first levels easy and rewarding. On the first day, groups of random strangers were forming in the halls to examine the clues. We were sharing, we were playing with the badges, we were taking pictures of each other's notes. By Friday afternoon, the groups had dwindled to a few lone souls, and by Saturday, all but the most hardcore had given up. The winner of the contest was a Mystery Challenge team. I'm sure that wasn't the point.
It would have worked better had there been multiple easy first-layer ciphers all vaguely pointing to a deduction. Some examples of "easy" ciphers might be: a brute-forceable cryptogram, clues hidden in the source of an HTML page, image steganography, an obvious OTP, ROT13, binary or hex. Instead, there was a single Atbash code with a specific URL, which in and of itself might have been easy without the overwhelming distractions.
Atbash was totally fair. It's simple enough, and listed at the top of the list on the Rumkin cipher reference page. But our chances of guessing or brute forcing this were reduced by all the other distractions and time wasters we tried based on other clues and obvious suspects, like multiple pangram cypher types, OTPs, Rail Fence...
Like rats (or polar bears) whacking at the food button, we eventually gave up when no pellets came out.
I have a few suggestions, from a game design perspective, which could help next years challenge be more fun and accessible.
First, have some method of separating the bC from the mC. That may not be a problem next year since the rumor is that this year's mC was truly (and sadly) the last. But if both are going on, maybe a "#bC" and "#mC" signature next to clues from each (as is done in Twitter). Or create fictional characters who are leaving the clues, and include signatures (initials, a name, a symbol like a rose or Kanji character or the Eye of Horus). Make it clear those are the rules, so that any beginner can quickly pattern-match and easily figure out, "This clue is not for me." Of course this method will make it harder to place intentional red herrings, and it throws many forms of steganography right out, but ... maybe it doesn't have to. :)
Another thing would be to give hints as to which clue goes to what puzzle. I'm not asking for dead giveaways, and I still want to be able to sort some things out. I don't want to be applying all three forms of Quick Brown Fox (plus the Wizard's Pangram, et. al), to every single crypto at the con. (To be fair, the pangram clue was right next to the puzzle it belonged to, but also to be fair, not all clues this year and last were so closely associated.) So perhaps a color scheme - puzzles printed in green match clues printed in green. Or some other scheme.. again, it could leverage fictional characters: this key has Agent X's signature, but this puzzle has Horus's Eye, so they don't go together. Or some indicator of when you'll need each piece of information. If from the start we're being given bits of a later puzzle, there should be some indicator that we don't know enough to work that one.
Some misdirection and confusion is fun. Too much is overwhelming.
If there are going to be interactive badges, have them spit our some kind of content out early on. Anyone who tries even a little bit should get some kind of, "Nice try, keep going". The method of getting that should lead logically to the more difficult and meaningful answer. Like if you sync with one other badge type, it flashes SOS in Morse Code or "MISS!" in binary or says "GAME OVER" when you wave the LEDS back and forth. Then we'd know when we're barking up the right tree.
My last suggestion: Give some low hanging fruit. Make a couple early of puzzles so ridiculously easy that any Defcon attendee will realize this game actually is for them. TryThis0ne's first puzzle is one such example. You have to solve it before you can even access the other puzzles. Anyone who's ever done a newspaper cryptogram can solve it. Feel free to taunt those who crack them, like, "I was just testing to make sure you were awake, but my dog could solve that puzzle." After that, ramp it up. Steeply. Terribly. Painfully.
Parenthetically, DEFCON 20's contest, a few easy attempts rewarded you with a taunt, like, "Did you really think it would be that easy?" If I recall, they were things like guessing Lost's name in the URL, and messages hidden in same-color text on the HTML page. Those messages were actually encouraging. They sent a clear subtext: "Hey, you're smart enough to try the obvious things, and you found something.. not something useful, but something. You can do this."
Now for the good points:
In the badge talk, Lost mentioned a goal that he successfully accomplished: He wanted the game to be more social. That definitely worked. I found myself talking to more people on the first day than I've talked to for entire cons. People were excited to share and help and try to beat the challenge. We were holding up badges, talking about them, trying to figure out what made them tick. We were looking at each other's lanyards, trying to figure out why we needed all three...
He also continued the backstory mythology from last year, of the Brotherhood of Horus and secret societies. There was mention of a comic book, and I'm looking forward to that. I wrote a story for this year's short story contest based on the clues from last year's badge contest, so I'm looking forward to see how next year's mythology develops.
The contest was also inspiring. Lost did a great job both years of making us curious. These puzzles remind me that I'm smart, and they bring back the feeling I had as a kid, when I'd excitedly try the brainteaser every Friday at school, and I'd usually win. It helps me remember that I love puzzles, and that just because I've aged and experienced failures and forgotten how to do grade school math doesn't make me any less capable than I was as an eight year old.
The hands-on aspects of the Badge Challenge is essential and awesome and inspiring. It lets me participate in Defcon in a way that makes me feel I could participate in "higher-level" contests, if I wanted. The badge challenges have made me feel like I belong at Defcon and I'm not just a poser or a tag-along.
After DEFCON 19, Roland and I were inspired to do more puzzles during the year, but we didn't follow up. This year, we did. We found TryThis0ne.com, which is a site full of puzzles and hacking challenges. And we started playing a new MMORPG, The Secret World, based on its inclusion of real puzzles and crypto that you have to actually solve before you can complete quests. My brain cells are grateful for the exercise.
A questioner at the badge talk Q&A asked about online resources for doing more puzzles, and he was directed to Martin Gardener (possibly these sites, Puzzle Playground and Math Puzzle) and Notpron. I haven't checked those out, but if I tire of TryThis0ne and TSW, I have a fallback plan.
Most of all, I look forward to the badge challenge at DEFCON 21! Maybe with some practice, we'll get a little further next year.
This post is about the Badge Contest. I also plan to write about the rest of the con, like how my reading went, the amazing parties, and the surprise talk by Kevin Mitnick I was lucky enough to catch.
Last year Roland and I spent a lot of time distracted by the first annual badge challenge. I wrote about it here. This year, I knew there would be another contest, and I debated whether I wanted to obsess over clues and miss a lot of talks. I figured I'd play it by ear.
We did end up playing around with the badge challenge for a while... and we made zero progress in the first two days. None. Not a budge. We decrypted one very simple newbie puzzle, which was just a clue to a real puzzle, and that's it.
This year's challenge was much, much harder. Not a casual game, but hardcore mode. The bar was frankly too high for amateur solvers. We didn't expect to win this year. After all, we're newbies. But we did expect to get past the first level.
So unfortunately, this post is going to be more of a critique than a write-up of puzzle details. It breaks my heart, because I know Lost puts his soul into giving people a good experience. He's made it clear that he does not want to overly frustrate and that he wants to encourage everyone to participate. Lost fills many, many shoes at the con, and I appreciate all he does. Defcon was truly awesomesauce this year, and I'm sure a lot of that was due to his efforts.
However I'm a big believer in constructive critique, and in transparency, so here is a rundown of the frustrations that we experienced. For actual detailed write-ups of the clues, there are two: 1o57.wikispaces.com and elegin.com.
I arrived at Defcon on Thursday while Roland was still at BlackHat at Caesars Palace. The news came pretty fast that we'd have to do some electronic badge hacks in order to solve the puzzle. That intimidated me, and I almost decided to enjoy Defcon without the added distraction...
Then I found myself in the greater rotunda, staring at the numbers and the symbols, and I was hooked. As with last year, I whipped out the notebook and started writing everything down. Started taking pictures. Started basic cryptanalysis. For example, I immediately noticed the numbers in the greater rotunda were 1-26, so it was some kind of substitution cipher. So far so good.
Then Roland arrived and we went at it for a few hours. We had piles of crypto and clues, from the program, from the lanyards, from the badges, from the Defcon DVD, from other attendees, from around the con. And...
We got nowhere.
Lost's Twitter hints weren't helpful. Some of them were things we'd already gathered from the Badge Talk or other sources. Like that we needed all three lanyards. That we needed to use Quick Fox (the pangram clue already told us that). Other tweets only added to the pile of data we had, with no arrows as to how to apply any of it. At one point, based on a Tweet, we started trying to apply Rail Fence to all the codes, which was another big time waster.
Lost hinted at the hall signs, but I saw nothing. Part of the problem was my mistaken assumption, based on last year's example, that all the signs were the same (so I only checked a couple of signs). The other issue is that the special signs were stolen at some point, so it would have been impossible to notice them. We had one of the sign codes from the DVD, but not the other two.
From a game design perspective, the first layer of puzzles was too hard and gave no encouraging breakthroughs. Had we managed to unlock the second layer, it would have been easier, with lots of carrots. The write-ups describe several URLs (unlocked by solving the difficult first layer puzzles) containing simple reversed-letter strings. Easy-sauce. Accessible. (What to do with them would have been the challenging part.)
If the goal of the game is to get everyone involved, you have to make the first levels easy and rewarding. On the first day, groups of random strangers were forming in the halls to examine the clues. We were sharing, we were playing with the badges, we were taking pictures of each other's notes. By Friday afternoon, the groups had dwindled to a few lone souls, and by Saturday, all but the most hardcore had given up. The winner of the contest was a Mystery Challenge team. I'm sure that wasn't the point.
It would have worked better had there been multiple easy first-layer ciphers all vaguely pointing to a deduction. Some examples of "easy" ciphers might be: a brute-forceable cryptogram, clues hidden in the source of an HTML page, image steganography, an obvious OTP, ROT13, binary or hex. Instead, there was a single Atbash code with a specific URL, which in and of itself might have been easy without the overwhelming distractions.
Atbash was totally fair. It's simple enough, and listed at the top of the list on the Rumkin cipher reference page. But our chances of guessing or brute forcing this were reduced by all the other distractions and time wasters we tried based on other clues and obvious suspects, like multiple pangram cypher types, OTPs, Rail Fence...
Like rats (or polar bears) whacking at the food button, we eventually gave up when no pellets came out.
I have a few suggestions, from a game design perspective, which could help next years challenge be more fun and accessible.
First, have some method of separating the bC from the mC. That may not be a problem next year since the rumor is that this year's mC was truly (and sadly) the last. But if both are going on, maybe a "#bC" and "#mC" signature next to clues from each (as is done in Twitter). Or create fictional characters who are leaving the clues, and include signatures (initials, a name, a symbol like a rose or Kanji character or the Eye of Horus). Make it clear those are the rules, so that any beginner can quickly pattern-match and easily figure out, "This clue is not for me." Of course this method will make it harder to place intentional red herrings, and it throws many forms of steganography right out, but ... maybe it doesn't have to. :)
Another thing would be to give hints as to which clue goes to what puzzle. I'm not asking for dead giveaways, and I still want to be able to sort some things out. I don't want to be applying all three forms of Quick Brown Fox (plus the Wizard's Pangram, et. al), to every single crypto at the con. (To be fair, the pangram clue was right next to the puzzle it belonged to, but also to be fair, not all clues this year and last were so closely associated.) So perhaps a color scheme - puzzles printed in green match clues printed in green. Or some other scheme.. again, it could leverage fictional characters: this key has Agent X's signature, but this puzzle has Horus's Eye, so they don't go together. Or some indicator of when you'll need each piece of information. If from the start we're being given bits of a later puzzle, there should be some indicator that we don't know enough to work that one.
Some misdirection and confusion is fun. Too much is overwhelming.
If there are going to be interactive badges, have them spit our some kind of content out early on. Anyone who tries even a little bit should get some kind of, "Nice try, keep going". The method of getting that should lead logically to the more difficult and meaningful answer. Like if you sync with one other badge type, it flashes SOS in Morse Code or "MISS!" in binary or says "GAME OVER" when you wave the LEDS back and forth. Then we'd know when we're barking up the right tree.
My last suggestion: Give some low hanging fruit. Make a couple early of puzzles so ridiculously easy that any Defcon attendee will realize this game actually is for them. TryThis0ne's first puzzle is one such example. You have to solve it before you can even access the other puzzles. Anyone who's ever done a newspaper cryptogram can solve it. Feel free to taunt those who crack them, like, "I was just testing to make sure you were awake, but my dog could solve that puzzle." After that, ramp it up. Steeply. Terribly. Painfully.
Parenthetically, DEFCON 20's contest, a few easy attempts rewarded you with a taunt, like, "Did you really think it would be that easy?" If I recall, they were things like guessing Lost's name in the URL, and messages hidden in same-color text on the HTML page. Those messages were actually encouraging. They sent a clear subtext: "Hey, you're smart enough to try the obvious things, and you found something.. not something useful, but something. You can do this."
Now for the good points:
In the badge talk, Lost mentioned a goal that he successfully accomplished: He wanted the game to be more social. That definitely worked. I found myself talking to more people on the first day than I've talked to for entire cons. People were excited to share and help and try to beat the challenge. We were holding up badges, talking about them, trying to figure out what made them tick. We were looking at each other's lanyards, trying to figure out why we needed all three...
He also continued the backstory mythology from last year, of the Brotherhood of Horus and secret societies. There was mention of a comic book, and I'm looking forward to that. I wrote a story for this year's short story contest based on the clues from last year's badge contest, so I'm looking forward to see how next year's mythology develops.
The contest was also inspiring. Lost did a great job both years of making us curious. These puzzles remind me that I'm smart, and they bring back the feeling I had as a kid, when I'd excitedly try the brainteaser every Friday at school, and I'd usually win. It helps me remember that I love puzzles, and that just because I've aged and experienced failures and forgotten how to do grade school math doesn't make me any less capable than I was as an eight year old.
The hands-on aspects of the Badge Challenge is essential and awesome and inspiring. It lets me participate in Defcon in a way that makes me feel I could participate in "higher-level" contests, if I wanted. The badge challenges have made me feel like I belong at Defcon and I'm not just a poser or a tag-along.
After DEFCON 19, Roland and I were inspired to do more puzzles during the year, but we didn't follow up. This year, we did. We found TryThis0ne.com, which is a site full of puzzles and hacking challenges. And we started playing a new MMORPG, The Secret World, based on its inclusion of real puzzles and crypto that you have to actually solve before you can complete quests. My brain cells are grateful for the exercise.
A questioner at the badge talk Q&A asked about online resources for doing more puzzles, and he was directed to Martin Gardener (possibly these sites, Puzzle Playground and Math Puzzle) and Notpron. I haven't checked those out, but if I tire of TryThis0ne and TSW, I have a fallback plan.
Most of all, I look forward to the badge challenge at DEFCON 21! Maybe with some practice, we'll get a little further next year.
August 3, 2012
Institute for Advanced Psychenergetic Studies (photo)
Las Vegas, NV 2008This is on a door at one of the mega-hotels in Las Vegas. I think it was the New York -New York Hotel. Like so many things in Vegas, this doorway is false. ... or is it?
July 27, 2012
Menu: ???? (Photo)
Seattle, WASpicy Chicken Bento, Shrimp Teriyaki, and... we're actually not sure what this is.
