This year I was able to attend DEF CON for the very first time. DEF CON is a well-known hacker conference that has been going on since 1993. Largely viewed as a fringe / black hat computer hacker conference, DEF CON has been a place for computer hackers and tinkerers to gather and share information. The convention has become significant within the security industry and this year’s convention pulled in an estimated 30,000 attendees.
DEF CON has garnered a sensationalized reputation where attendees are warned not to bring personally owned computers, cellular phones, electronic devices, credit cards, and anything with RFID for fear of being hacked. I will emphasize that these warnings are very overblown and anyone to DEF CON should simply follow security protocols they should always be using (e.g. don’t join public Wi-Fi networks, SSL encryption at all times, VPN whenever possible).
Note that I did stay in a hotel away from the conference hotels partially for extra security by not staying in the hotels were DEF CON attendees may decide to poison the hotel Wi-Fi networks. But also because in hotels with major conferences like DEF CON, Las Vegas hotels are doing random room checks and entering rooms even with “Do Not Disturb” signs. Solo female travelers at prior DEF CON and other Las Vegas conferences have complained about random male employees opening their room door.
Anyway, I was able to get a travel request to attend DEF CON 27 in August 2019 in Las Vegas. From a business standpoint, it is important to note that DEF CON registration fees are cash only. You literally walk up to the registration desk, hand over the entry fee ($300 in 2019), and get a badge and walk away.
No information collection, no receipts. I had to go through some specific procedures with my work travel coordinators to make sure the registration fee would get reimbursed without receipts.
DEF CON 27 was spread out across the Paris, Ballys, Flamingo, and Planet Hollywood hotels. Paris was the main area with the registration desk, DEF CON swag store, and the primary presentation halls (four main halls). But what I did not realize is that there are several ‘villages’ for on various areas of focus:
- AI Village
- AppSec Village
- Aviation Village
- BCOS Block Chain Village
- Bio Hacking Village
- Blue Team Village
- Car Hacking Village
- Cloud Village
- Crypto & Privacy Village
- Data Duplication Village
- DEF CON Hardware Hacking Village
- DroneWarz Village
- Ethics Village
- Hack the Sea Village
- Ham Village
- ICS Village
- Internet of Things Village
- Lock Bypass Village
- Lock Pick Village
- Monero Village
- Packet Hacking Village
- r00tz Asylum
- Recon Village
- Red Team Offense Village
- Rogue’s Village
- Social Engineering Village
- SkyTalks 303
- Soldering Skills Village
- Tamper-Evident Village
- Voting Machine Hacking Village
- Variety eXploitation Village
- Wireless Village
All of these villages were spread out amongst the four aforementioned hotels and they all had their own presentations and activities. The DEF CON website wasn’t really clear on the villages and so I was not aware of the villages until the first day of DEF CON.
When I was in line at the DEF CON swag store, there was a woman in line behind me reading off some note cards. I asked if she was preparing for a presentation and she confirmed that she was, and mentioned it was for a presentation on Seagate Translator Corruption Recovery at the Hardware Hacking Village.
After that, I started looking online for more information on the villages and that’s when I realized the breadth of DEF CON.
While DEF CON 27 was four (4) days, Thursday through Sunday, I only attended the first three days. I was impressed by the amount of presentations that I wanted to attend and all the activities I wanted to see.
I did not realize the amount of non-presentation activities that were present at DEF CON. There were the soldering stations at the Hardware Hacking Village, but several Capture the Flag type events spread out amongst the other villages.
My one complaint about DEF CON 27 is that the first day (Thursday) was a bit of a wash. Only one presentation hall in the main tracks was active, so unless you went to the first one of the day and stayed there the entire day, you could not get in.
None of the villages were open on Thursday. Had I known this was going to be the case, I would have just arrived Thursday morning to get registered as opposed to arriving the night before. Granted, I was told by other attendees that in prior years, more things were going on during the first day.
For anyone in the information security industry that has not attended DEF CON before, I highly recommend it. Keep in mind that I would try to go with a team of colleagues, or at least one other member in your team. There are just so many interesting talks and activities that everyone in an organization’s security team will get value out of attending.