 For over two decades, members of the hacking community from around the world have come together to analyze and poke fun at the craziness on the DEF CON network. This has become so popular that it's grown from a few people sitting at a little round table into thousands in the packet hacking village. My name is Riverside, and I'm here at the Wall of Sheep to share a few of my favorite stories about the sheep we've caught and the fails they've made. It's truly amazing how little people have cared over the years about their privacy, and more importantly, their personally identifiable information. Year after year after year, some of the best hackers from around the world have made some of the worst decisions while under the influence of DEF CON. We've seen attendees apply for jobs, loans, and do all sorts of other interesting and crazy things in the clear, sending copies of their social security cards, driver's license, passports, and whatever other private information about them you could possibly imagine. One individual decided that they should be working on their taxes at DEF CON instead of hacking. It was especially amusing to our team, as in this case, we could watch everything they were doing live. Not everyone realizes the data on the wall is not live. Captured credentials go into a tool we call the sharing barn, which is where our shepherds look through the data and accept or deny entries to be placed up on the wall. We do this for a few reasons, the main being, well, hackers will be hackers, and they intentionally try to make crazy things appear on the screen. For example, one year someone wrote a tool to log into a server over and over with different ASCII characters. This made for a really interesting ASCII art picture, but while funny to us, it wasn't really something we wanted up on the wall. Another being that there's just too much data for us to sift through. Depending on how many people are in the village, we sometimes are hours behind the analysis. One day, we had an attendee come up to the wall and ask if their credentials were captured and if they were up on the wall. I asked them for their username and password, which in true sheep form, they wrote down on a piece of paper for me and I walked over to the sharing barn, put them into the app and said, yep, you're a sheep. About a decade ago, we were kicking back at the wall of sheep, watching traffic as we do, and noticed something beyond anything that we've seen in the past. It was somebody hacking into a major university live from DEFCON. They'd gotten into the border router and had begun to pivot around through their network. We had a few friends that had gone to that university, so we figured we'd give them a call and let them know. We told them we were at DEFCON and watching their network get hacked live. They laughed and said, yeah, right, and hung up on us. We tried this a few more times and had the same result. So we contacted one of the goons that interacts with the feds and asked them to go spot a fed for us and send them over our way. Like magic, poof, a fed popped out of nowhere and was filled in on the situation. He called the same number we did, however, this time, he said, hi, my name is Agent SuperFed, badge number 1337, and you're actively being hacked. Please call the agency headquarters and ask to be connected to me. He then hung up and minutes later, a freaked out knock operator was on the line. He then said here, talk to the guys that called you in the first place and strongly suggested that they take reports like that a lot more seriously in the future. In the early years of smartphones, absolutely everyone was tweeting everything they saw unfiltered every moment of the day. Okay, well, that hasn't really changed, but back then many of the Twitter third party applications on the phones didn't use encryption. We were catching hundreds of Twitter accounts per hour and felt obligated to find a way to make it stop. One of the hackers in our community was one of the original members of Twitter. So we called him up and explained the situation. He got the dev team on the line and then said there's no reason that they shouldn't be using encryption. The API handles it just fine. We then contacted somebody we knew at the third party application company and they stated while Twitter's API could use encryption, they were told not to do so as their servers couldn't handle it. This sounded insane to us. So we asked them if we could bridge them into a conference call to figure it all out. They agreed and we found that there was a giant miscommunication between the two companies. In the end, they turned on encryption for all customers while we were at DEF CON. One year, we caught the CEO of a major security firm sending an email with all of their organization's passwords in the clear to their backup. And when I say all, I mean all. I mean passwords to their websites, email servers, source code repositories, HR system, you name it, it was there. The irony is that the email stated that they weren't going to use their computer or phone anymore because they were at DEF CON and they didn't want to get hacked. This was the kind of fail that could permanently put a company out of business. So we decided to do the right thing and notify them. We sent the CEO an email and didn't get a response. We then decided to call the phone number on their main website and explain the situation. They got in touch with the CEO while we were on the phone and they outright denied it, deny, deny, deny. So we said, okay, we have multiple reporters here and a PCAP with all the recorded evidence. This can go two ways. We can share this with the press or you can fess up, fix it and come take some remedial security training. In the end, they took their lumps in exchange for not being outed to the press and years later, they came and personally thanked us for how we handled it. In the early years of running the Wall of Sheet, almost nothing used encryption. You've heard of the term's target rich environment. Well, this was definitely that. One day, while watching the packets fly by, we noticed a conversation happening between two people we knew. This conversation was way too juicy, not to interrupt with a little man in the middle action. So they were trying to meet up physically and let's just say they may have been running around the hotel for hours before they found one another. Las Vegas has a saying. What happens in Vegas stays in Vegas. That is definitely not the case when discussing the DEFCON network. If you're doing something that you wanna have stay private, doing it on what's considered to be the world's most hostile network is not the right place to do it without proper security practices. There was one particular year that seemed to be the year of the cheaters. It was crazy watching all of this live. We found people from all genders, ages and backgrounds cheating. You name it, they were doing it and that seemed to be the year we saw it all. Now let's just say some of the images being sent back and forth were not flattering nor were they anything someone would wanna have become public. Extra, extra, read all about it. Super expensive antivirus, free for all. Joking aside, one of the major antivirus vendors did all of its updates via FTP. All anyone needed to do was capture the credentials, download the software, put in the username and password and they could get free antivirus. One of the hackers closed to us in the community, knew the creators and submitted a ticket noting the security issue to get it fixed once we let them know. DEF CON had ended and we didn't think twice about it until the next year when lo and behold, they still had the same security issue. This was absolutely inexcusable and required a little bit more of our special type of attention. Not only did they update in the clear, we realized that they were not signing their updates and we were able to upload our own custom database where it considered every Windows file a virus. Of course, this was all done in a very safe isolated way to prove it out. But let's just say there was action within days after we let them know. The hacking community historically has had a love hate relationship with the press. They love to hate the press. We've been very fortunate at DEF CON to have had amazing press liaisons over the years ensuring we have had quality press to work with. Unfortunately, we don't always get that level of quality. Multiple times we've had press ask us to ghost write articles for them, say things that are absolutely not true as a security expert on record or help them scoop other members of the press. One year, we caught a member of one press organization hacking into another press organization to steal their story. You just never know which one to trust. Around 20 years ago at the Alexis Park, DEF CON and the world was a lot more raw and unfiltered. We were younger and doing a lot of crazy things back then. We put together a setup that looked at every image flying by the DEF CON network and then displayed it on a screen. And let me tell you, it was not for the faint of heart. One of our shepherds thought, hey, it'd be really funny to project this on the wall for everyone to see. So we started doing that. And when the attendees realized it was displaying every single image that anyone looked at on the web, we needless to say, the game was on. Everyone was trying to one up each other with something nastier or weirder. Lemons and grannies and goats, oh my! Then out of the corner of our eye, we noticed a majestic DT running towards us at lightning speed, bouncing like a gazelle, yelling, no! Needless to say, he asked us to take it down and that was the end of that. Or was it? We understood what he was trying to do to mature the conference and bring in new blood. But we, being the hackers we were, had to find a way to continue the fun while respecting his wishes. This is when we came up with the coin-operated network sniffer peekaboo booth. We built a booth with a screen and a disclaimer on it that clearly stated 18 plus and would allow people to drop a coin in, accept the eula and watch the traffic and all its glory. While there are a lot more stories, some are only appropriate over drinks and some are frankly just not appropriate at all. I hope you enjoyed the ones I shared. Thank you.