DEFCON hacker convention is one of the world’s largest and most notable hacker conventions, held in Las Vegas, Nevada. This year, they are up for their 27th incarnation. So what happens at a hacker convention and what does it take to survive one? Let’s check out DEFCON 27 in Vegas in the flesh and recommendations from my own survival of DEFCON 27. Lets go!
Back to back InfoSec events
Moreover, in comparison to the corporate, cushy prim-and-proper face of Blackhat, DEFCON is an entirely different scene. DEFCON is more of a “renegade” style hacker convention. It is characterised by an underground, hacker ethos. Also, it is not wrong to say that Blackhat is Bruce Wayne in day, DEFCON hacker convention is like Batman by night.
Also, there is a strong emphasis focused on tools and techniques which otherwise not ready for mainstream of commercial. Furthermore, there are also a fair bit of underground content, which makes finding these gems a joy for attendees in DEFCON.
Notably, the term “DEFCON” is not to be confused as the five progressive levels of alert used by the US armed forces. Also as the DEFCON hacker convention usually runs on the weekend after Blackhat as back-to-back InfoSec events in Vegas. Most Blackhat attendees usually end up staying for the 2nd weekend for the hacker event.
There is a good mix of attendees here. Also, attendees are not entirely particularly focused on a particular age group or geographical location. Notably, you do mostly find Gen-X, millennials as well as kids and elderly into the mix. Hacking is after all, for everyone right? There is even a map by the convention main floor where you can mark out areas on the world map where you are from.
An information overload
Have an interest in Wireless hacking? Curious on how to beat speed cameras or how to perform Social engineering by a government expert? There is a lot happening at any time. There are at least 4 to 5 official panel tracks running at any given time. This even excludes unofficial event such as Skytalks, which I shall covered separately later in this blog post.
Other events also includes Scavenger hunt and Capture the Flag. Capture the Flag (CTF) competitions, with rather attractive prizes and swag to boot. Not to mention hacker bragging rights too. Furthermore, DEFCON also has a couple of several concurrent “sister-conventions” or “Cons within a con” which runs through the con (convention) period too. This includes Queercon, a hacker gathering for large DEFCON hacker convention LGBT community, as well as humorously, QuietCon and Linecon.
Plan your panel timetable
Hence, it pays to plan out your agenda for the day to maximise much of your convention time. Time is the essence here at DEFCON and you need to plan your panel agenda to your interest well before time. There are multiple concurrent briefings and trainings which can happen at any one time. So it pays to plan out your schedule of panels to attend back to back.
Moreover, it is good to have a look through DEFCON website listing all the panel talk topics and challenges of interest. The online website and Mobile App (only use the official app doh) is your source to the most timely updates on the ever-evolving convention schedule, which could have printed convention book timetables panels rescheduled or cancelled altogether.
Additionally, in the event if you have two panels you wish to attend but clashes on same time slot, you could consider planning half an hour slot for both locations. Also, do note that some panels do end early. Which gives you time to pop by another panel on the same time slot.
Navigating the convention
Furthermore, along with a packed timetable of talks, the convention is massive. DEFCON hacker convention is held across 3 hotel venues along the Las Vegas strip. They are namely the bally, Paris and the flamingo Hotel and casinos.
Furthermore, notably, most of the happenings are located in Bally and Paris hotel, with a small sub village at the Flamingo hotel grounds. Also, it is not uncommon for con-goer groups book out a suite in one of the convention hotel. If you know a friend or two who have a room, usually it is open via invitation-only. It serves as a much needed refuge from all the chaos on the convention floor below.
Also, DEFCON is split into multiple “villages”, demarcated by sectors covering a myraid of topics. This includes aviation, wireless and automotive (car hacking), artificial intelligence, industrial control systems and interestingly lock-picking. These village sectors are all scattered around a large multipurpose hall in an open environment in the Bally’s Event center.
If hand-ons hardware is your thing, the Hacker hardware village is your thing. Also, there is a sub Aviation sector where you can hacking flight controllers like those by Honeywell for instance. There is also an automotive sector, with a couple of donated cars like a Tesla model 3 and a Nissan sedan which you can destroy for the purpose of science. At the end of the day you can see these cars with their dashboard ripped off and cam bus cables exploited beyond Recognition. A car badge is yours for $95, while a Traffic Light Badge sets you back $30.
Living the Badge life
Speaking of badges, badges are a big thing and always a hot topic here in DEFCON. It is not uncommon to see attendees spotting eye-catching LED or LCD illuminated piece of wearable Digital badge hardware worn on a lanyard or wrist. I got to meet some really avid badge collectors with their neck loaded with badges.
Additionally, these badges can range from purely aesthetic pieces with series of LEDs, to animated version to those with full LCD screens. Some of these are while some have some additional trickery such as near field communication (NFC) interaction, Bluetooth or Wi-Fi built-in or even playing games on it.
Interesting, this year’s DEFCON badge this year is no exception. It is an elegant quartz crystal from Brazil, specially cut and polished for the badge. With aid of LEDs, it glows and allows for NFC communications between badges. Notably, with 24 hours of release, you get hacker discussion forums overloaded with diagnostics and reverse engineered data of the badges.
Furthermore, you can see various vendors in DEFCON hawking several custom designed digital badges. They usually sold assembled or as kits for assembly. Like in any hacker convention, DIY is the thing here. If you need a soldering iron to build your badge or complete an on-going challenge, you can use one of the many soldering stations available at the villages.
On yes, if you are lost or need any help, look for the Goons. They are DEFCON convention are staff. You can’t miss them given their shouty red staff shirts and often found direct crowd traffic in halls and decked out with rather ostentatious fashion statement. Also, Goons have different con-badges. Tapping your badge on theirs is rumoured to give you special powers (no it doesn’t).
You do not need a tin foil hat
Contrary to popular belief, no, you won’t be hacked the moment you step into the convention. Also, you won’t need a burner phone or the need to put your phone in a tin can here.
Regular common-sense applies. If you stick to the basic rules of not connecting to any unsecured Wi-Fi (even if your friends tell you to), not clicking on any suspicious links or emails presented to you, you will do actually very well here at DEFCON without being hacked at all in the entire convention.
Also there is somewhat a code of ethics here at DEFCON, where anyone who hack innocent public infrastructure like Hotel Wi-Fi or hotspots are shunned upon. The hackers here go for the big boys, like Capture the flag and bounties, which is the ethos of white hat hacking. Commendably, the environment at DEFCON is friendlier than you thought and any hacker blacksheeps are really in the minority.
Not all hacking is bad, especially white hat hacking. Interestingly, DEFCON also feature an ethics village. This sector aims to educate and involve attendees to enter detailed discussions about ethical hacking. Covered topics includes how and why certain hacking, surveillance and security activities should or should not be undertaken.
While, it is not uncommon to find convention goers totting laptops with huge stuck-on wireless antennas sticking out of backpacks and machines sniffing out wireless packets. The lowdown is that the people here are keener on the hacking challenges prizes on-hand and limited bounties in-hand than actually hacking any other person on the street.
Moreover, most of the hacks here are for demonstration and plain humour, with purposes of data gathering and research. A notable item of interest would be the Wi-Fi cactus. It is made out of a number of by Wi-Fi pineapples brought to you by Hak5.
Grab your Hackerwares (and warez)
The convention has their own swag store as well as a dealers vendor hall. Here, you can find several big names in the InfoSec world hawking their wares. Fancy a lock pick set, a high gain antenna to listen into your neighbours or a full-band software defined radio kit? You are covered.
Additionally, DEFCON is one of the few times of the year where people can find and stock up on their hacker gear. This can range from hardware, customised hardware to lifestyle clothing, literature merchandise. I was surprised to find Chinese companies Alibaba and even Tencent present too. Till I remembered DEFCON just had their first Chinese convention not too long ago.
I had the honour and opportunity to meet up with a couple of my Info security idols, such as Darren Kitchen is the founder of Hak5, and his co-presenter Shannon Morse. Trust you technolust!
Official merchandise sells out quick
Moreover, the official convention loot is surprisingly popular (and limited), which makes them highly desirable merchandise. They are also, more reasonably priced and affordable than Blackhat offerings. Hence, it is not uncommon to find queues running about on average an hour long, going on till the merchandise sells out.
Do note that due to the nature of goods sold, many vendor areas have a strict no photo policy to protect the identities of hackers and to promote a safe environment for information and knowledge sharing.
This applies to some closed door talks such as the Skytalks. But you are generally fine in large hall talks and open public spaces in general.
Hacker fuel- Food choices
You won’t have any issues finding food and lunch in the convention venue. After all it is Vegas. There are plenty of food options like sushi, ramen and takeaways to suit all budgets, including a rather affordable food court in the Ballys hotel basement if you need a no-frills quick meal rushing between panels.
However, it is advisable to visit after peak lunch periods as it can get rather packed. Other notable outlets around the block includes Buffalo Wings as well as a Gordon Ramsey burger place in Paris if you are feeling rich.
Notably, the venue provider provides free flow of drinking water in each of the panel talk halls. They are good for quick refills and beats having to bring or purchase water during the convention.
DEFCON Hacker Convention Talks
Besides hacking challenges, talks and briefings comprise of a very large part of DEFCON. Also, they are also more informal and casual, a throw away from the corporate looking Blackhat. Here, presenters tend to let loose and even drink booze on stage as a DEFCON tradition (also if it is your first presentation at the con).
Also, panels and events are where you can also find some of the best renowned cyber experts in the world sharing their views, findings and predictions. It is worthy of a sit in. Most of the time, presenters turn up in T-shirts and shorts and talk about anything under the sun.
This range from presenting their findings on hacking Wi-Fi, evading cops, and hacking unconventional items. Interesting ones to go for here is the annual Network Operations Center and Wi-Fi audit findings. Here speakers share what peculiar and funny things sniffers pick up during the convention, as well as predict trends from data gathered.
At times, some panels are usually presented for entertainment value and laughs. Also in typical DEFCON hacker convention fashion, the entire hall will applause whenever a presenter presents a new exploit. It’s an endlessly fascinating parade of lateral thinking, innovative approaches and engaging discussions.
Also, if you are observant, each hall has four projection screens showing live feed as well as live speaker voice transcribing. Also, at the top center of every of the 4 presentation hall features an animated stylised skull DEFCON logo. These animations are projected by Christie industry grade digital projectors, which I always the attention to detail mesmerising.
Skytalks, off the record
Another form of talks held in DEFCON are Skytalks. They are usually separate from the main halls and in this year is located in the Bally’s Jubilee tower block. Skytalks are run by a separate executive committee as a DEFCON guest event. Notably, they have their own fund raising and management.
Moreover, secrecy is paramount and everything shared here at the Skytalks are off the record. This means no recording is allowed here at all. Topics cover can include exploits, tactics and procedures which would otherwise put the speakers at risk with law enforcement. Hence the no recording policy. Any recording devices be destroyed on the spot with a sledgehammer. No questions asked.
The reason for this policy you may ask? Well, is to encourage a safe environment where speakers can be free to speak without fear. The organisers shared past Skytalk speakers were ever arrested against their will upon return to their home country for reasons deemed “illegal” in their talks. This includes topics such as cyber hacking or spilling state vulnerabilities. Nonetheless, Skytalks panels is always a crowd favourite here in DEFCON, with panels always oversubscribed and full at capacity. It is nonetheless a very interesting panel to attend and definitely an eye opener.
All in all, DEFCON hacker convention was a joy to attend and definitely an eye opener, especially if you are in the InfoSec industry or a junior hacker in-training. I hope you enjoyed my write-up on my experiences and tips useful in attending your own DEFCON.
The event does not discriminate. Also, it does provide a more uncensored experience from the corporate face you typically get in most conventions. It is simply down, dirty and effectively straight to the point hacker space which works, for the past 27 years and beyond.