In a presentation late last week at the Director of National Intelligence Open Source Conference in Washington, Dr. Dwight Toavs, a professor at the Pentagon-funded National Defense University, gave a bit of a primer on virtual worlds to an audience largely ignorant about what happens in these online spaces. Then he launched into a scenario, to demonstrate how a meatspace plot might be hidden by in-game chatter.

In it, two World of Warcraft players discuss a raid on the "White Keep" inside the "Stonetalon Mountains." The major objective is to set off a "Dragon Fire spell" inside, and make off with "110 Gold and 234 Silver" in treasure. "No one will dance there for a hundred years after this spell is cast," one player, "war_monger," crows.

Except, in this case, the White Keep is at 1600 Pennsylvania Avenue. "Dragon Fire" is an unconventional weapon. And "110 Gold and 234 Silver" tells the plotters how to align the game's map with one of Washington, D.C.

I don't know why he thinks that the terrorists will use World of Warcraft and not some other online world. Or Facebook. Or Usenet. Or a chat room. Or e-mail. Or the telephone. I don't even know why the particular form of communication is in any way important.

The article ends with this nice paragraph:

Steven Aftergood, the Federation of the American Scientists analyst who's been following the intelligence community for years, wonders how realistic these sorts of scenarios are, really. "This concern is out there. But it has to be viewed in context. It's the job of intelligence agencies to anticipate threats and counter them. With that orientation, they're always going to give more weight to a particular scenario than an objective analysis would allow," he tells Danger Room. "Could terrorists use Second Life? Sure, they can use anything. But is it a significant augmentation? That's not obvious. It's a scenario that an intelligence officer is duty-bound to consider. That's all."

My guess is still that some clever Pentagon researchers have figured out how to play World of Warcraft on the job, and they're not giving that perk up anytime soon.

LAS VEGAS -- Last weekend, more than 9,000 hackers, freaks, feds and geeks gathered for the 16th annual DefCon, the world's largest computer security convention.

Wired.com brought you live coverage of the most newsworthy events at DefCon 16. Here are some photos from the lighter side of the conference.

Left: South Korean hackers compete in the Capture the Flag competition. The goal is to hack into and keep control of targeted servers.

Mr. Sinister and Dragon Cracker battle it out in a round of Guitar Hero -- one of DefCon's newest competitions.

Bringing-your-own-booze supply ensures optimal buzz at DefCon. Shortly after this picture was taken, hotel security escorted this backpack-hacker to his room.

Computer geeks from the National Institute of Standards and Technology set up a network secured with quantum encryption in a conference room at DefCon. The quantum-entangled photons are being used to encrypt a video stream across a line-of-site network.

A compact optical bench and an atomic clock (left) are used to secure a network with quantum encryption.

In the Lock Pick Pavilion, DefCon attendees Dustin, Jennalynn and Kunfoozball practice their lock-picking skills.

DefCon founder and organizer Jeff Moss, aka Dark Tangent, at the conference's closing ceremony Sunday.

A collection of black badges awaits the winners of the various competitions. These badges give their holders lifetime entry to DefCon.

One of DefCon's logos, the smiley-faced skull and crossbones, is welded inside a yellow sphere. The sphere is the primary stage of one of the most difficult competitions at DefCon: The Mystery Challenge.

Unbeknownst to attendees, this laptop is sniffing RFID tags and taking photos of their owners when they pass in front of the detectors. RFID tags are used in everything from building access to some credit cards.

At the closing ceremony, DefCon organizers turn off the lights while the attendees wave their high-tech badges back and forth.

1) We ended up monitoring 205 nodes in the official show network. They broke down as follows:

• 73 switches (Enterasys and Netgear),
• 4 routers (Enterasys),
• 28 power distribution units (APC),
• 5 IDSes (Enterasys Dragon),
• 20 environmental monitors (APC),
• 2 load balancers (Coyote Point),
• 2 VMware servers,
• 5 DNS and DHCP Servers (BlueCat Networks),
• 27 IP KVMs (Avocent),
• 27 IP Power Strips (Server Technologies),
• 1 Master Wireless Controller (Aruba Networks),
• 2 IP-PBX Boxes (Digium Asterisk),
• 4 Optical Taps (NetOptics),
• 1 Splunk server and
• 4 external WAN links (Qwest).

EM7 pulled data from all of these devices and delivered a single view of the data to the NOC.

2) Uptime for the network was 100%. That isn’t to say that there weren’t some device failures, but each of them was handled properly by the redundancy in the network and the show exhibitors and attendees saw no impact from these failures. This is a real testament to the design and build of the network. It’s hard enough to build a complicated network in two weeks, but then to keep it up and running 100% of the time in the wild west environment that is Interop, is really phenomenal.

3) The average monitored device in the show network didn’t even hit 10% CPU utilization. This is interesting because many items were virtualized using vmWare this year and yet, there was still a lot of hardware overhead available. (Maybe we should run Folding@Home on the show network?)

4) The show network was busy. By our calculation over 864 gigabytes of data was pulled in and 1.01 terabytes of data were pushed out of the WAN links in the 3 days that the show floor was open. That’s a sustained 56Mbps average, including off hours. At peak the show network hit about 102Mbps of WAN utilization.

5) In the three days the show floor was open the network and its supporting NOC gear used 600 kwh (kilowatt hours) per day. As a comparison, the town of Rockport, Missouri (1,300 residents) uses about 35,600kwh per day. On a side note, they are completely powered by wind power and in fact sell 3,000,000kwh per year back to the local power utility. I’m thinking next year Interop should bring some wind turbines as part of the InteropNet kit?

Next I’ll be doing some analysis on the trouble tickets opened. I think it’ll be interesting to see the kinds of issues that vendors experienced and how quickly the InteropNet staff handled them. Look for that in the next couple of days.

ShareThis

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

Authors note: Dr. Jan Hruska, co-founder of Sophos wrote me off line and gave me permission to publish this comment: 2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

In October last year we prepared for a float on the London Stock Exchange. As a part of the exercise we had analysts from the three sponsor banks produce their projections for revenue etc for the next three years. We did better that their projections for 2007/08.

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

For three days, InteropNet is one of the largest hacking targets on the planet. Attacks and threats come from both inside and outside the network. While the external attacks are certainly more malicious in intent, most of the internal ones ended up being due to misconfiguration or just plain misunderstanding.

Let’s play a game. It’s called Malicious or Not.

1. Video streaming devices flooded the network with millions of multicast packets per second. EM7 noticed a big bump in latency on that network segment at the same time that the Enterasys Dragon IDS caught the flood of packets. Both tools could tell the origin of the packets and traced them back to misconfigured video multicast devices. In this case Not Malicious, but the result was still degradation to that network segment until the problem was fixed.
2. One vendor at the show purposely scanned all other devices on the show network to model them in their product demos. They didn’t ask anyone’s permission (or at least they didn’t ask ours). They purposely used multiple community strings to see if any would work. Malicious or Not? I’ll let you guys take this one. Personally I don’t think they meant it to be malicious, but as a monitoring tool in this space, they should have known that doing all that scanning would actually degrade network and other vendors’ device performance. I wonder if this is the vendor that was telling people that it does this at every show, and this is the first time it’s been caught.

Connect the Vendors

Enterasys took care of external attacks by identifying them and asking Qwest to block them. But it’s with the internal “devices behaving badly”, that the real fun began. It took a combination of vendors to identify, confirm and track down the offenders on the network.

First Enterasys Dragon IDS alerted on suspicious behaviors. Dragon identified what IP, MAC address or port on a switch was having the issue – which information was cross-checked against vendor registry info in EM7 to track down offenders to a booth, a room or a wireless access point in the facility. Splunk was also used to look at logs and verify the source of bad behavior.

For tracking down wireless misbehavior, Aruba Networks had a cool tool that took the info from Dragon and EM7 and used it to literally triangulate the location (down to a laptop).

Before the show started, we played wireless security hide and seek – testing our security process by sending people out with laptops and finding them, gps-style, whether they were walking around or hiding under a desk.

Overall, I think the real-life multi-vendor network security solutions I’ve described here are great examples of why interoperability is so important and why InteropNet was such a great experience.

ShareThis