Well, given that you got physical access to their hardware, their security is total crap.

mullingitover

I think a hot chick in nothing but a thong and a white (wet) tank top placed in front of the gate would be more effective than anything else...no?

designaked

All the security in the world isn't going to stop ninjas riding sharks with laser beams attached to their heads. pfffft.

praevalesco

@styrofoam: It's fairly impressive for being at a conference and not equipment owned by the convention center itself.

Log1c

Looking at those wires reminded me of Catherine Zeta Jones, Sean Connery, and Enya for some reason. Damn you Entrapment, get out of my skull!

Git Em SteveDave displays attention-grabbing vanity

This networking isn't really all that ridiculously crazy, though. Kind of boring old hardware. Of course, boring old = Tried and true. But a 3500 is hardly an exciting piece of gear.

Note that the PoE switch even has a sticker on it that says "Trade-in"- probably scavenged from an unwitting employer's network pile. :)

The german shepard is definitely the key component my network is missing, though...

styrofoam

@mdawg4624: is it the networking or the german shepard?

craighyatt

@Elliuotatar: I think its about 1907 street credits

arkbuilder

@mdawg4624: no, whats odd is that all the giz readers that see this get horny at the same time.

... ewwwww.

Shub-Niggurath

It seems to me that all this extra security would only make the network a more tempting target. I mean you're at a conference of hackers. How much street cred would you get for hacking THAT network?

Elliuotatar

What a waste of money - don't they know they can safely lock up all that equipment with a high quality, super safe Medeco lock?

Hiphopopotamus

nice.

orphic1

is it odd that networking makes me horny?

mdawg4624

Gooooo Aruba Networks!

slush

@MagnoliaBoy: And, as for the actually finding the culprits. It's called triangulation. Use your APs in passive mode to give you a basic location, then send 3 goons out with sniffers to further triangulate it down.

Xavoc

@MagnoliaBoy: There are ways around this, including forcing the unauthorized APs offline via attack.

The fact that they have that AP coverage map leads me to believe they're quite possibly already employing active countermeasures against rogue APs.

Pretty much you just need APs that can go into passive mode periodically and scan for APs, or deploy an active w/ a passive. Just because an SSID is not broadcast, doesn't mean you can't pick up on it by sniffing traffic.

Xavoc

@MagnoliaBoy: I totally agree, now if we could just find some, I hear they're tasty.

jkr I take the internet seriously

@jkr I take the internet seriously: Ha! Great minds think alike.

MagnoliaBoy

What if instead of trying to hack the super secure un-hackable network, you setup a clone network that looks mostly the same and try phishing for Normies who can't tell the difference? The Goons will probably notice, but could they actually/physically find the culprits?

MagnoliaBoy

now we just have to wait for the news when some kid hacks it ^_^

zixyon

"I got hacked at defcon, and all I got was this stupid shirt"
I suppose maybe a hacker could have set up his own network w/ the same SSID, that might have been fun, and do-able. Heck even give full internet access by acting as a range extender. Oh well, talk is cheap.

jkr I take the internet seriously

@mdawg4624: Not that weird. I agree.

KarinDiscoGirl

@Shub-Niggurath: Hardly, anyone who does networking for a living has already looked at the gear and noticed how out-of-date most of the switches are. As in EOL/EOS cannot/will not support SSH v2 (if SSH at all) ever.

Sorry, network-hardware wise... It really isn't that impressive. The impressive part is that it remains secure during a hacker conference (that they know of) and is handled completely by volunteers.

The firewall (server at bottom of stack) looks like a Supermicro 1u rackmount system.

The APs are fairly standard for any centrally managed AP device.

Xavoc

Stun gun, bolt cutters = network hacked...

j/k ;)

bpapa9013

@Xavoc: Personaly, if I was going to Defcon, I wouldn't bring crap with me. Maybe just a voice recorder and a TV-B-Gone incase they forgot the electrical tape.

MagnoliaBoy

I don't see the aruba controller in that pile of equipment... Those ap's don't run themseleves...

frankly I'm not very impressed by the level of investigative journalism represeted by this post...

from bottom to top I see:

pelican 1650 ata case
random supermicro 1u
1u pc appliance of some flavor
older catalyst metro-e switch with fiber gbics
new 48poirt catalyst with poe....

joelja

And how do you know that the people running the con aren't sniffing ALL of the traffic and storing it for replay/analysis later? With terrabyte storage drives becoming so cheap these days, you'd only need a machine capable of holding/controlling 10+ drives and you could have a very large traffic snapshot available at all times ala Sniffer's infinistream products.

Xavoc

@Xavoc: Which would then make it all a real pain in the ass until you could gain physical access to the machine. (See fence, padlocks, guard, etc...)

Xavoc

@MagnoliaBoy: They (reporting networks) can differentiate between APs, in fact, the AP you stood near could detect you and report that it was seeing a "duplicate" of itself.

Really, it just depends upon how the network is set up. Sure, there are plenty of ways to hide yourself, but quite a few to find someone as well. Figure most of the traffic is WPA encrypted (one would hope) and that there are people constantly trying to break into your shizzle. I believe there is a wall of shame for people who expose their usernames and passwords at the site. Which, happens constantly. Unless of course you're making a honeypot site that tracks what people do to hack into things, so that you can study their methods and work to prevent them.

And, really you're responsible for the security of your own machine there. Hacking the network is a different thing altogether. Pretty much the only way to make the damn thing unhackable would be to load everything with read-only configuration files. IE: custom built secure ubuntu live CD w/ only the services you dictate. Including all of the AP configs...

Xavoc

@Xavoc: I thought of that, but figured how hard is it to turn off the access point every 15 minutes or so and find another spot, combined with large conference rooms where everyone has a laptop would throw alot of hits out masking your own, plus I've never seem a nice enough handheld network detector that could pin down different IP addys or SSIDs and whatnot. I wouldn't be surprised to see one, but if Fluke makes it (and they probably do) it'll only be eleventy jillian dollars to own. I think there's too many people and too much traffic for that to work very well. They have a map of the APs, what if you just stood next to one?

MagnoliaBoy

If we can just see the device configurations, then we'll know how actually secure it is.

Just showing a bunch of dated hardware doesn't really show us much. Even if it was brand spanking new hardware, we still shouldn't be impressed. It's how it's configured that is important.

smcallah

@designaked: Holding a steak for the german shepard. While the goons may like boobies, I doubt Tomoe is much swayed by a wet t-shirt contest.

m4ximusprim3

@MagnoliaBoy: I would bring a machine that had basic browsing thing, and only access pre-made junk accounts that I don't care if I lose access to.

Then wipe the machine when I returned home.

But, I'm paranoid like that.

Xavoc

@joelja:

The 1u PC Appliance looks like an IPS/IDS appliance from McAfee.
the 12 port 2u Cisco Switch is an EOL 3550-12 Catalyst switch. (EOS/EOL)
The 2u 48 port 2u Cisco Switch is likely a 2948g which (EOS/EOL)

Xavoc

I cant wait for the movie........Hackers III.

Justapspfan

translation in layman's terms:

boobies boobies boobies

discounteggroll

Funny how EVERYONE here just assumed that what they saw in the pictures is the actual network.

_badtziscool

"our"

SinAmos

@praevalesco: You have divulged are clan's secrets for the last time, Xia Zhu.

SinAmos

Wow, it is true...IT guys can't run cables for shit. Factory made cat-5=lazy. Anyone ever heard of velcro and labels?

koryglenn

@koryglenn: There's nothing wrong with factory made Cat5e/Cat6 cables. As long as you use proper cable management and standard cable lengths.

I would prefer not to pay network engineers $35 - $50 an hour to make cables that I can buy for $2 each in large quantities.

Use a cable tester to verify the cable is good. If you get a bad cable, you just return it to the supplier for a new one. Instead of having someone waste time putting a new end on the cable, or making a new one.

I'm certainly not against making a cable when necessary, but for $1.25 for 3' cables, $1.50 for 5' cables, $1.75 for 7' cables, and $2 for 10' cables, all Cat6, I'm going to have a lot more pre-made cables run than hand-made. Hand making is saved for cables longer than 14 feet.

I guess if you can't afford real cable management, then making cables as short as possible is better than nothing. But still feels like a waste of time and money considering what you can buy pre-made cables for.

If you're buying your cables at a retail store or even Newegg, then maybe you do need to make your own cables to save money.

smcallah

@mdawg4624: No, I feel it too.

michaelleung

you guys don't think that maybe at defcon that the volunteers might know how to secure a network from there own peers. just because its dated hardware don't mean anything at all

slayersher

@MagnoliaBoy: You wouldn't even need a TV-B-Gone, because the badge already had that functionality built right in.

wiregr

That's just the decoy network. :) I'm sure that defcon has wireless in each conference room and much more ethernet running around than that.

BTW, the boxes in the top picture are:
* Cisco 2948g (I've got two of them - easy to reset the admin password to if you have physical access to the box and no ssh access, so sniff for telnet traffic!). Note, the ethernet ports on this switch are 10/100, which is fine to run wireless from since most wireless is < 100Mbit, but I still think that it's weird that defcon would run on such outdated hardware.
* Cisco fiber switch
* Supermicro 1U "superserver" box - probably the firewall layer - probably linux w/ iptables.

scumola

@jkr's bold comment: Or you could just stick to 3G and keep ur machines off that thing ;)

I didn't even use my laptop once at the conference...

secgeek

@Elliuotatar: "That is, unless it's built by the badge-wearing network ops volunteers of the Defcon HACKER convention, who are affectionately referred to as the "Goons" (read: IT badasses). Wired's Threat Level got a chance to look behind the scenes and snap some great photos of the network gear (and chain link fences, and padlocks, and German Shepherds) that make the Defcon network the fortress that it needs to be to keep a network full of HACKERS from tearing each other apart."

With hackers going to a hacker convention, i bet its safe to assume it is a target presently.

AlanIn4D