03 Aug, 2017

DEF CON - Is It Really That Scary?

by Amy McElroy and Clea Ostendorf

This year marks my third working in Business Development at nVisium, and until now, I’d strategically avoided the infamous Black Hat and DEF CON industry conferences. Like many first-time DEF CON attendees, I really had no idea what to expect.

I’d heard stories from industry peers about fake ATMs in hotel lobbies, cracked safes being looted, and the looming intent of the attendees trying to hack anything and everything possible. Thankfully, my colleague and partner in crime, Clea Ostendorf, also a first-time DEF CON attendee was at the conferences with me. After reading a blog post from another first-time Vegas attendee last year and chatting with some of our colleagues who are veteran conference attendees, we both began our prep.

While we didn’t opt for burner phones or laptops, we did, however, take some precautions to ensure our own security. We logged out of every app and website containing sensitive data, avoided connecting to any WiFi networks (including our hotel’s, which was located as far as possible from the events), and we even both bought RFID Blocking Wallets for our cell phones and credit cards. Was this overkill? Maybe, but better to be safe than sorry.

alt text

One of our colleagues, who has attended DEF CON since the beginning, warned us,”Vegas is still pretty cautious about DEF CON attendees, but that is to be understood after a few years of broken elevators and disassembled ATMs.”

However, the attitudes towards DEF CON have changed and the Vegas community has become more open and welcoming as attendees have become more civil. We, personally, did notice some locals were more cautious than others–specifically, when cab drivers reacted with fear upon finding out we were in town for “that big hacker conference.” (No, Mr. Lyft driver, I’m not scamming your information from your bluetooth in the back seat and no credible hacker is going to drop a zero-day in the one place people are looking for it.)

Beyond that, our overall first experience at DEF CON was a rather positive one. Other DEF CON regulars agreed that the vibe surrounding the conference has continued to evolve throughout the years.

Jerry Gamblin (@JGamblin), a well-known hacker and good friend to nVisium, has been attending DEF CON (on and off) for the past 10 years. He notes, there is “less fear and more understanding that there are good and bad hackers. The general public now knows the term ‘White-Hat’ and ‘Black-Hat’ and what it means to be both.” He also states, “I don’t think there is any more risk to you as an individual at DEF CON than in Vegas on a normal weekend. Just make sure you practice good OPSEC and patching, and you should be fine.”

Another 20-year DEF CON veteran shared that, “In that time DEF CON has grown from 250 people to 25,000, so the conference reflects a wider population than it did all those years ago. The biggest change outside of that is the number of events outside of the regular tracks. It is now a conference of conferences, with something for everyone. As the conference has grown the diversity of the crowd has changed immensely. More foreigners, women, and even kids (Check out Rootz!) that were not seen during my early days of attendance.”

Gamblin also noted that “DEF CON has grown but the atmosphere is still one of openness, learning, and community. You can decide if you want it to be a party, a full-time CTF, Hall Con, or if you want to see 30 talks… and you get to decide that every year.”

alt text

“Hall Con”, for any first timers, is the time spent waiting to get anywhere, which is pretty much the theme of Vegas (photo credit @JGamblin). Look at all those smiling, happy faces!

So to conclude, our overall first impression is that DEF CON isn’t as scary as it once was or is perceived to be by so many, and there seems to be a track and/or activity for everyone. So if you plan on attending next year, this is our advice for any first-time DEF CON attendee:

  1. DON’T be scared. Everyone is incredibly nice and excited to teach you something new.
  2. DON’T connect to any public WiFi. Though the vibe is much more positive than in years past, do use extra precautions to avoid anyone trying to troll you. (Note: the RFID-blocking wallets probably weren’t necessary.)
  3. DO hydrate. You’ll be doing lots of walking, talking, and likely drinking, so be sure to always keep a full bottle of water on hand (Warning: bottles at the hotel will set you back $9, so consider bringing your own you can refill) and electrolyte tablets too.
  4. DO take advantage of some of the good restaurants and activities Vegas has to offer. With all the craziness of Vegas, it’s sometimes good to take a break from the conference talks, halls, and parties to post up at a restaurant or bar with a friend, client, or colleague. One of our favorites? Carnevino if you’re looking for a nice steak dinner in the heart of everything. Or you can venture off the strip for something more affordable.
  5. DO enjoy as many of the after-hours events as you can. nVisium hosted a fun event this year in the “Hangover Suite” at Caesar’s Palace, which was a great way to catch up with our clients and friends.
  6. And some final advice from our 20-year DEF CON vet: DO “Get out of your shell and try something new. Contests and events are all hands-on and meant to be interactive. Pick talks in each of the different villages to get a flavor of everything for your second year. Remember that you don’t have to do it all and that everyone starts somewhere.”