DeepSec 2011 Conference Network Observations
All of you who attended DeepSec 2011 know that we had a Wall of Sheep at the conference. We set it up by copying packets via the Netfilter TEE target from the router to the Wall of Sheep box (note to self: never ever mirror broadcast or multicast packets). We only displayed logins and the number of characters of the password, all data was processed and stored in RAM. The display was only accessible from the conference network. On the first day of the conference we did not announced the Wall, we only encouraged everyone to use secure protocols and not to use services that send sensitive data unprotected. We even set up posters and flyers warning to use the conference network (the reason were other events at the venue taking place in parallel). We got about 80 hits. We talked to people we could identify by login and told them. On the second day we announced that there is a Wall of Sheep and published the URL locally. Then we got about 20-30 hits. So, what have we seen?
- Even security-aware persons can overlook a simple check-box or an auto-login using insecure protocols by default (using the wrong ports for IRC on Freenode for example).
- Some user use services that offer SSL/TLS with self-signed certificates and turn SSL/TLS off because of the annoying requesters. No fault of the users, everyone tries to get rid of pop-up windows.
- Recommending to use protected communication is less effective than to publicly display logins. People only believe it, when they see it. No news here for anyone being involved in the full/responsible/no disclosure discussions.
- You cannot expect Zen mastery of encrypted protocols from end-users. Few are even aware of the tools they can use and the configuration they have to select. In addition not everyone uses VPN tunnels or other means of encrypting data over the „first mile“.
- If you want to help the sheeps, then you have to prepare easy to understand and easy to implement workarounds or configuration descriptions. Ridiculing someone or simply saying „Then just turn on encryption!“ doesn’t help.
- If you develop an application and design network communication, make sure you do not shift the burden of securing the transmissions to the system administrator or end user. No one likes jumping through hoops. Make it easy to use.
- If you offer a service, please offer protection for data in transit as well. Some entries on the Wall were due to servers not offering any kind of in-transit protection.
Our router also recorded 3,645,892 netflows during the 4 days of DeepSec (flow records only contained timestamps, ports, packets, bytes and duration, no addresses). This includes some of the broadcast and multicast packets that got amplified by the Wall of Sheep, so we had some very busy Intertubes at DeepSec 2011. Probably because of the cat videos.