[Phoenix-pm] CPAN "cost" $677 million, DEFCON report

[Scott Walters]

Hi folks,

If you don't read Slashdot: http://www.etla.org/stdout/code/cpan_sloccount.html
Someone took a lines-of-code tool to Perl to estimate the amount of labor
that went into it (though of course this is going to be wildly inaccurate
for a host of reasons). Still, interesting. 12,434,471 lines of Perl, which
constituted about 80% of the text data. 0.14% assembly was kind of interesting
too.

Back from DEFCON and since I don't have a company to have sent me I
feel as though I should report to you as I feel as though I should
report to *someone*. First day, the laptop's power supply blew
(capacitor), so I was without a laptop the whole time. Only 
gutter punk party boys go to DEFCON detached from a laptop, so
I was forced to hang out with the gutter punk party boys (and
read Perl and Computer Science by the pool). I had a few good
conversations but for the most part I was bored out of my tree.
Nathan Torkington was there again, and again, I saw him briefly
(momentarily) before he succumbed to the forces of wisk and
was wisked away (under his own wisk power). Gnat would rather have
been at OSCON (I assume) and so would have I. (Gnat is ORA's
security editor now, so this is on-topic for him and OSCON
is only less so). The capturer-the-flag server OS was Windows 2000, and 
applications included IIS, SQL Server, a MOO, and, well, other things. I didn't
touch a keyboard (I didn't have one to touch, I'm not touching this
stuff, and I had swonrd off CtF anyway). The only strategy
worth a damn was sniffing the wire, analyzing the protocols,
and doing to everyone else what was apparently being done to you.
Actively defending as a strategy did not apply as it had in
years past, and exploits where in too large of a ethereal
meta-space to be easily identified by a quick audit or
updates. CtF was a mix of voodoo and cargo culting this year.
While I wouldn't have touched the keyboard, it was a very
interesting practical demonstration of Microsoft security and
worth seeing. But CtF is primarily a spectator sport. Oh,
and most of the contestents stayed awake 36 hours straight
as the 8 hour night breaks were removed this year. (Microsoft
related comment deleted). The talks were... well... not
exactly hands on and not exactly advanced. In previous years,
the talks were almost as uenthraling, but they were almost impossible
to get into. Instead, you were encouraged to sit in your hotel 
room and watch it on CCTV - usually without sound, and the camera
pointed the wrong direction, or else only able to see the slides
and not the speaker or props. So many fewer people came this
year, according to my estimate. Script kiddies have got to be
disappointed by the lack of real black-hat potential stuff.
Security professions have got to be disappointed by the lack of
reporting on trends and aggregate data. Some geeks would be
satisified by some of the under the covers looks at 
technology. The PGP talk was good - it got into all the
various ways it got misintegrated into proprietary protocols
(Microsoft sends a plain text version of the document off
Exxchange just in case you don't have PGP to decode the encrypted
copy - d'oh!). This was a good talk. Other "technical" talks
tended to be idle, non-expert speculation about things that have
been speculated about before but are then passed off a concept
of importance. The party atmosphere DEFCON is known for is
on the decline was well. The fetishes (including public nudity,
latex, S&M, and so on) didn't make nearly the appearance they
did last year. General concensus is skip DEFCON and do HOPE.
It isn't the same party atmosphere, but it has everything else
(and not everyone wants a huge party anyway). The LAN room is
all but dead - that was my primary attraction - recreating the
CS lab experience from college (and the several years before
college when I was pretending to be a college student just for the 
lab experience). Now rather than a mess of cables on the floor, hubs,
switches, routers, power cords, etc, all over the place with
hundreds of hackers crawded arounds tables, on the floor, and
along the walls hacking all night on some presumabily interesting
project, now, a few people were at tables and in the halls running off battery
just to check their email briefly over WiFi while they waited for the
next crummy talk. 

-scott