Highlights from BSides Las Vegas & DEF CON 24 – Part 2 – DEF CON 24

Blog

Thought Leadership

Highlights from BSides Las Vegas & DEF CON 24 – Part 2 – DEF CON 24

Jim Nitterauer

Now that summer is officially over, I'll take a moment to flashback to the dog days of August and the last event that makes up "Hacker Summer Camp." That event is DEF CON. This year, DEF CON 24 was held at Bally's & Paris convention centers starting on August 4th and ending on August 7th, 2016. This year, there were more than 22,000 attendees. This event it by far the largest aggregation of hackers of all kinds anywhere.

So what makes DEF CON so alluring to the hacker community? That's hard to say exactly as the draw is as individual as the hair styles you encounter. For the uninitiated, DEF CON conjures up all sorts of evil and nefarious activity. While that is part of the event, it is so much more. First and foremost, DEF CON is community. The majority of those attending make the trek to Las Vegas annually to meet their "hacker family" and spend time catching up on the latest trends. For some, its a chance to share their research and knowledge with others on a grand scale. Consider that DEF CON has three main speaking tracks plus the DEF CON 101 track. Each room for the main tracks is configured to handle about 4000 attendees while the DEF CON 101 track accommodates around 2500. In addition, there are vendor-sponsored talks as well as an entire SkyTalk track that goes unrecorded.

I was already in Las Vegas having attended and spoken at BSides Las Vegas so I arrived at DEF CON in time to jump right in with both feet. DEF CON 24 would be my fourth DEF CON so I was not technically a N00B. Even after attending three previous years, I was looking forward to learning new things, making new friends and generally getting immersed in the "hacker / InfoSec" community. Obviously, when attending a conference like DEF CON, you will encounter some of the worst behavior imaginable but those engaging in that sort of behavior are by far the minority of those in attendance and their behavior is quickly handled by the Goon Squad and other on-premise security. That said, all those attending should practice reasonable and prudent computer and cell phone safety practices like disabling BlueTooth, not using any WiFi without a VPN, not plugging your devices into any "charging stations" and avoiding any ATM machines within several blocks of the conference.

In spite of this being my fourth year, I decided to attend the DEF CON 101 Panel. The panel was a an introduction aimed at getting all those were N00Bs (those are zeroes not o's) up to speed with respect the history, expected conduct of attendees and scope of the event. In addition, there was an opportunity for some to have the panel bestow upon them a "hacker handle" to be worn as a badge of honor. I participated in that exercise but will save the determination of the panel for another time. I did get some other cool DEF CON swag including a couple of DEF CON N00B Challenge Coins and a rare lanyard. That lanyard turned out to be a vital component for those participating in the DEF CON Badge Challenge so I made a lot of new friends thanks to my lanyard.

Next, I went on to check out the vendor and contest areas. These areas are open for the duration of the conference and have every manner of contest, demos and merchandise you can imagine. Unlike most conferences, the vendors at DEF CON are most smaller and offer their products on site. There are no major corporate displays and everyone is You could spend your entire three days in just this area alone. Some of the notable vendors included Bump My Lock, Breakpoint Books, Cobalt Strike, Duo Security, Electronic Frontier Foundation, Gunnar Optiks, Hackers for Charity, Hacker Stickers, Hacker Warehouse, Hak5, No Starch Press, Pwnie Express, Rapid7, Toool, Untangle and more.

The contest area at DEF CON is massive. One large section is set up for the DEF CON Capture the Flag (CTF) competition. Teams compete all year in qualifying events for the opportunity to compete at DEFCON. Teams competing pretty much do nothing but compete. They are going hard at it for about 72 hour straight. In addition to the official DEF CON CTF, there are other contests sponsored by a variety of vendors. Each contest has a slightly different twist on the game. Many of these games can be played away from the event and are designed to get novices involved in playing a CTF. Mixed in with the contests was the Car Hacking Village, Lockpick Village, Tamper Evident Village, Bio Hacking Village, Internet of Things (IoT) Village, Wireless Village, Social Engineering Village, Crypto & Privacy Village, Data Duplication Village and Hardware Hacking Village. Each of these had hands on demos, instruction and talks designed to get you up to speed on the village's specialty.

Another DEF CON favorite is the Wall of Sheep area. Here, you can view in real time all the people using the DEF CON WiFi (why they use that, I have no idea) and sending credentials in plain text over the network. All the connections are displayed on a giant screen for all to see. In addition, you can try your hand at the Wall of Sheep Packet Capture and get ready for your first CTF. Wall of Sheep also offers a WiFi Sheep Hunt and other cool contests.

DEF CON also has an entire track called Sky Talks. These talks are not recorded and typically include presentations that are more clandestine in nature. There were definitely some very cool talks there including a demo on exfiltrating data using DNS.

The core of DEF CON is definitely the talk tracks. This year, there were three tracks and the DEF CON 101 track. All were packed with excellent talks. These talks are typically attended by about 3000 people per talk on average. A new attraction at DEF CON 24 this year was the DARPA Cyber Grand Challenge. This challenge pitted human teams against computers in a complex CTF competition. The goal was to determine whether computer logic could outshine human intellect in the challenge. Humans won most of the challenges but the computer competitor was close behind and even beat some of the teams.

Beyond the daytime activity, DEF CON offers a healthy social agenda. You can look at all that DEF CON 24 had to offer by viewing the archived web site here. If you have never attended DEF CON, you should consider making the trip for "Hacker Summer Camp" and see what you can learn!