During the first week of August, I was fortunate enough to spend a week at DEFCON in Las Vegas. For the uninitiated, DEFCON is an annual hacking conference that draws the interest and attendance of roughly 30,000 hackers, information-security enthusiasts, information-security engineers, government workers, law-enforcement agents, podcasters, technologists, and anyone else interested in the myriad of subjects covered at the conference. (For those well-versed in this arena, jump to my recap below.)
DEFCON differs from other security conferences in that it maintains its grassroots attitude towards hacking and independence. While other article-of-clothing related hacking and security conferences have monetized on the fact that information security is a lucrative business, DEFCON has retained its style, its crowd-sourced nature, and its dedication to existence outside the influence of the monetization of security as a practice. The conference offers a completely cash-only experience and allows for its attendees to be who they want to be. Official posts and signage encourage conference-goers to only share as much information with others as they feel comfortable with. Many conversations I had were with individuals who didn’t want to share exact names, locations, or areas of work. So go with the expectation that a number of individuals at DEFCON are there to be anonymous in their experience and that not everyone is comfortable being open with their information. All of this is pre-baked into the conference by those who manage and run the conference.
As for activities and offerings, DEFCON is an eclectic conference with an expansive list of opportunities to get involved and participate in. Given the extreme quantity of opportunities to learn, work, play, and be involved in at DEFCON, my purpose in writing this blog is to provide an outline of what is offered at the conference, what I found to be useful, and some interesting bits of information I took home from the conference this year. Since the conference is so expansive, be warned that this is not an all-inclusive list and that there is far more content than can be covered in a single blog post. DEFCON is what you make of it. Every visitor’s experience is going to vary wildly based on what you choose to attend, where you spend your time, and how willing you are to go with the flow, put yourself out there, and invest in the time you have at the conference. If you want to see what was available at DEFCON 30 for yourself and determine if it’s a conference you may be interested in in the future, check out the Forum Pages for all past offerings and to keep an eye on future offerings at DEFCON.
What is Offered at DEFCON:
Speakers/Talks: Presented on the main-stages or within villages—more on those in a moment—these talks cover a myriad of subjects from exploiting vulnerabilities using nothing but emojis, using Freedom of Information Act (FOIA) requests to obtain code from the federal government to learn how to best exploit systems running obscure languages, offline access control system hacking, modern events like the war in Ukraine and malware being used as part of the offensive, and even subjects like a scientific look at UFO’s and their possible existence. If you want to look through past years presentations and slide- decks to see if DEFCON talks are something you want to see in the future, the DEFCON team provides them on their online media server.
Villages: Villages at DEFCON are coordinated by members of the DEFCON community to orchestrate talks, miniature workshops, easy-to-digest trainings, and demonstrate examples of their area of security in theory and practice. The lock picking village contains numerous stations and tables for lock picking enthusiasts to sit, collaborate and pick locks together sharing knowledge and techniques for bypassing any number of physical locks using picking or raking techniques. Furthermore, talks and miniature workshops were provided to give beginners a basic introduction to the world of lock picking and jump-start the new hobby with tips, tricks, and equipment referrals. The aerospace village provided hands-on labs working with hacking satellites, drones, and anything that flies in—or out—of Earth’s atmosphere. The Blue Team Village contained talks and demonstrations of protecting against classic and rising threats in the cyber-sphere whereas the red-team and adversary villages focused on developing new skills and new techniques to bypass typical and new defenses within computer networks.
Many of the villages provide enough content to be a conference all on their own and provide hands-on activities and contests for hackers to participate in and win prizes like challenge- coins, village-specific badges, and other village-specific swag.
For a list of the villages and past workshops/talks/activities check out the official DEFCON Villages Section of the DEFCON Forums.
Contests: Numerous contests take place over the course of DEFCON. There is an annual hacking/CTF competition held for the duration of DEFCON wherein top-tier hackers from around the planet compete in a unique attack/defend style CTF challenge against one- another to earn flags/points/achievements and earn the highest score to win the competition. There is a viewing area wherein anyone can watch the masters at work and learn by watching the best-of-the-best go at one another to earn the top position and—typically--earn a black badge for their troubles. Teams must qualify to compete at DEFCON and it is one of the most premiere CTFs in the world.
For those less technically inclined there is a vishing contest in the Social Engineering village where teams from across the globe compete to gain information over the phone from real employees of real companies. Qualifications for this contest begin earlier in the year and require teams of up to three individuals to submit an expansive Open-Source Intelligence (OSINT) report containing extensive information about the target of the vishing contest to qualify for the competition at DEFCON. Whether competing or not, watching individuals cold-call company employees and obtain sensitive information over the phone in real time is eye opening, entertaining, and worth the trip.
There are other contests to participate in as well: Cryptography Puzzles, Badge Puzzles, Password Cracking Competitions, A Massive Scavenger Hunt that requires a team to collect any number of items from around Las Vegas and provide physical or video evidence of task completion, and many many more. For a list of the contests that were available at DEFCON 30, check out the official forum page.
Workshops: There are multiple workshops that take place at DEFCON covering subjects like HAM Radio Licensing, specific hacking skills, soldering skills, alerting/detection skills, password cracking skills, etc. These workshops are difficult to get into as they have limited seating. I have heard great things from those who were fortunate enough to earn a spot in one of the classrooms, however, to get into a workshop you need to be watching for the registration dates and attempt to secure a spot the moment they go online. Again, like many of these other activities, DEFCON 30 workshops are still listed online, so if you want to see what options were available and get a feel for what types of things may be offered in future years, check out the official DEFCON forums.
Parties/Activities: DEFCON hosts a number of parties and activities for hackers of every flavor. There was a DEFCON Pub Crawl, the 4x5k runs, Pool Parties, Arcade Parties, Blanket-Fort Con, Hacker Karaoke, the Toxic BBQ, Region-Specific DEFCON Group Meetups, Pilot Meetups, and Shooting Range Outings, DEFCON has a party/activity for everyone's taste. Many of the parties are listed on the DEFCON 30 forums, but there are also parties held at DEFCON that are less publicized and must be sniffed out organically.
Regardless as to whether you are a hacker, a social engineer, a physical-security expert, or just someone fascinated by the world of hacking/penetration testing/lockpicking/physical security/or just a fan of the movie Hackers with Angelina Jolie, Jonny Lee Miller, and Jesse Bradford there is a place for you to participate at DEFCON.
How to Approach DEFCON and What I Brought Home From the Conference:
With all the options available and all the areas of interest covered by a single conference, it can be difficult and overwhelming to know where best to spend your time. As stated above, many of the slide-decks are saved and shared after the conference and many of the main-stage talks are also recorded and distributed after the conference as well so missing a talk or two in lieu of something only taking place at the conference.
One of the areas I spent much of my time was at the SkyTalks. While missing from DEFCON 29, SkyTalks were back at DEFCON 30 and brought a “Classic DEFCON presentation format” back to DEFCON. These talks take place in an isolated room where no electronic device usage is allowed and no recording of any type is allowed. These talks are strictly off-the-books to protect the identities of the presenters and of the content that they are providing to the DEFCON community. Many of these talks contain less-than-legal information, information about ongoing sensitive cases in the justice system, or information about research projects and hacks that take place in gray areas of the law. While disclosing any information about specifics from within the SkyTalks is strictly prohibited, I can share that these talks provide attendees with a sense of learning secret information that you can’t find anywhere else on the internet and were exceptional in all cases. If talks about legally gray content sounds interesting and you want to read the titles of the talks that were available at DEFCON 30, the schedule is still live online here and I would highly recommend checking out SkyTalks at future DEFCONs.
Watching the competitions was another highlight of the conference. The Vishing Competition was hilarious, intriguing, and worth every moment spent waiting in line to get in. Teams of Voice-Phishers (Vishers) call individuals from a company to attain flags to earn points. Some of the flags that they must collect include information like what operating system is in use by the company, whether they have multi-factor-authentication enabled, what types of door locks are used on the physical building, whether users are working remotely or from the office, what type of VPN is in use and whether it is always on, and other details about information security practices at the company. Independent judges also adjust their point-values based on tactics used by the vishers like pretexting—providing the victim on the call with a legitimate sounding excuse for the reason for the call to gain additional trust—or gaining additional information when the user is unwilling to provide other information on the call. For example, a user stated that they would not feel comfortable providing information over the phone, so the visher asked them for their company email address so they could send them an email for the following work day; thereby gaining an additional data point while disconnecting the call. Due to federal wire-tapping laws, these sessions are not allowed to be recorded in any manner, so to see it happen you have to be there.
Furthermore, watching the CTF competition was worth every moment. Teams of hackers spend the entire conference protecting their systems and attacking the other teams to try and earn points to win the competition. The skill and speed at which these hackers were able to complete tasks and react to an ever-changing threat landscape and the tool sets they developed and employed during the competition was mind-boggling.
Contestants at these contests were competing for the chance to win a Black Badge. The Black Badges at DEFCON are awarded to those who win specific contests or achieve something great for DEFCON. The DEFCON Black Badge provides the owner with a lifetime of admissions to future DEFCONs and can (potentially) be worth up to thousands of US dollars.
I would also recommend going into DEFCON with a rough plan of main stage talks that you want to go to. Getting there early ensures that you can talk to those in the seats next to you and network before the talk begins. Many of the talks have great content and are presented professionally by experts in the field. The Hacker Tracker application helps organize the talks you are interested in and helps keep track of where you should be at any given moment depending on your plan. I found that at times, talks with flashy titles don’t always deliver on the content whereas talks with boring titles had some of the best content.
For me, at DEFCON 30, the talks were a mixed-bag of results. Some I walked away from with a better understanding of the technology world and others I walked away from feeling like I had had the news of the last three months summarized for me. My recommendation would be to go into a talk that sounds interesting with an open mind and the option to dip out early if it doesn’t live up to it’s promise. With so much to do and so many opportunities for learning, if something isn’t up your alley, there is definitely something going on at the same time that will be.
Many of the villages had hands-on activities to teach new skills. The rogues village taught how to bend a bobby-pin into a handcuff lock pick and pick out of handcuffs. The Tamper-Evidence village taught how to bypass tamper-proof tape, manipulate the contents of the box, and place the tape back exactly how it was. The physical security village taught how to bypass typical physical controls using methods other than lock picks including shimming, physical intrusion, and how to physically manipulate electronic door locks to bypass the controls. These hands-on activities were short, to the point, and provided a real-world experience that you can take away from the conference as a tool on your “bad-guy/bad-girl” tool belt for future use cases—professionally or otherwise.
With close to 30,000 individuals at the conference, it is easy to feel like an unimportant drop in a much larger ocean. One recommendation I would provide to anyone looking to go to DEFCON is to get involved early. Talk to people on the forums, try to make some connections, get involved at a party, a run, or a barbecue, take on some responsibilities or throw your hat in the ring to be involved in the contests. Finding a way to plug-in can be daunting and finding an area of the conference where you fit in can be difficult. Always be searching, keep your head out of your devices, and work on finding something at the conference that excites you. Whether it’s a puzzle, a contest, a party, a village, or a workshop, there is something for everyone at DEFCON if you look hard enough.
Additionally, spend time outside your hotel room. Even if you’re not in the conference space we met many a hacker at the blackjack tables, restaurants, in the hallways, or waiting in line for a talk. Keeping your head up, being willing to start a conversation, and keeping an open-mind will benefit you greatly in getting connected with the hacking community.
Finally, the conference is exhausting. With so much to do and so many opportunities for involvement. You have to pick-and-choose and enter the conference knowing that you can’t do everything. With so much going on, don’t be afraid to back out of a talk if it’s not what you want and go find something else that’s more your speed. Don’t be afraid to dive in and try something new and potentially look stupid in front of someone who knows way more than you do about a particular subject. Spend as much time as you can absorbing the information and learning what you can, but don’t forget to take the time to enjoy the fellow conference goers and just enjoy the experience that DEFCON has to offer.
Take a dive into our experience at the DEFCON30 UFO talk, or browse other topics on the DEFCON site.
DEFCON 31 is already announced and will take place at Caesar’s Forum, Harrah’s Flamingo and The Linq again in 2023. For up-to-date information view https://DEFCON.org and watch the forums at https://forum.defcon.org for talks, announcements, calls for papers, parties, contests, and ways to get involved in 2023.
-Kyle Rozendaal