This is the second time I’ve attended DEF CON. The previous one I attended was DEF CON 24 back in 2016. That time, I had no idea what I was doing, mostly walked around and did not really participate in much. This time, armed with slightly more knowledge of the convention, I actually put some effort into planning the events I was going for.
Unfortunately for me, I there was no effort put into research prior to landing in Vegas. By the time I actually got to the planning, all the workshops were completely sold out. That said, I still managed a very fulfilling DEF CON 27 experience.
What is DEF CON?
DEF CON is a convention that occurs together Black Hat. It’s possibly the world’s largest hacking conference and takes place annually in Vegas. The convention primarily consists of villages, workshops, talks, and parties.
Villages are generally a room with a theme and workshops and talks can be held there. Some of them also have hands on exhibits to let you try things out. Examples include the lock bypass village, social engineering village, or the car hacking village.
Workshops are as the name suggests, places where participants can get hands on experience on certain topics. The official workshops are usually sold out way before the conference, but I managed to attend a few smaller ones that had walk-in registration.
Talks are talks are talks. There are people talking at these. It's not generally that useful to attend talks, especially the official talks. Most of these talks are posted to the internet in a few months and you can easily watch them at a later date somewhere online. Some talks conducted at villages are not recorded though. In general, attend whatever catches your interest.
Parties are what you’d expect. Full of alcohol and drunk people.
This year, the conference spanned 4 hotels along the Vegas strip and was probably attended by more than 25k people.
It costs $300 CASH at the door and you get a badge that’s required to access the conference areas. The conference lasts for 4 days though generally the first and last day don’t have much going on.
(Last Minute) Planning?
There are many resources online including the official schedule to find DEF CON related events. This year, I downloaded the unofficial official app that helped compile the list of events going on and provided maps. There are a whole bunch of unofficial events going on as well, and good places to find these would be reddit or twitter. You might even find that some cool people have already compiled a single page list of all DEF CON events and guides like this page.
Other than that, I find that throwing all the events on a Google Calendar is useful to keep track of where to go when. Even if it’s not an official event like “Learn to solder at the soldering village” allocate time for it on your calendar.
Give yourself 15 - 20 minutes to walk from place to place, especially if they’re in different hotels. The hotels and casinos are confusing mazes and you may find that you’ll need much more time than you originally thought to find your place. Uber / Lyft pickup and dropoff can only be done at designated points, and sometimes it may be faster to walk instead of spending time looking for the designated rideshare spot and waiting for the driver to make their way through traffic.
One last thing. Some (most?) places have queues that can last hours. You may want to add buffer for those if you really really want to see something.
Here is a chronological summary of the convention and the other fun stuff I managed to squeeze in during my 4 days in Vegas. This is my personal experience and everyone’s mileage will vary depending on interest and endurance level.
Thursday 8 Aug 2019
Not a lot was going on today, a few talks were happening but most of the villages weren't open.
DEF CON Swag Line
The first thing many people do after purchasing your badge would be to join the swag line. That's where you can purchase official DEF CON swag and the queues are insane. Wearing DEF CON swag immediately adds 5 points to your street cred. Unfortunately, if you're like me and oversleep the line will look something like this.
You can probably expect to spend 3 hours queueing for that swag. You can either get there at 8am, give up, or be lucky enough to have friends already at the front of the queue and exploit their kindness (which is what I did)
DEF CON Talk: Sizing People Up
After the swag line, I went for lunch before trying to attend the Social Engineering CTF. Big mistake. By the time I arrived at the SE Village, the queue was 2 levels long. The CTFs were over when I finally got it. I did manage to attend one the following day, so I'll elaborate on what this is later on.
I did end up catching a talk called Sizing People Up about how an ex FBI agent spent his career convincing foreign spies to work for the US government. The takeaway I got from that is that everyone will cooperate if you provide them a means to achieve their life goals. The problem was trying to determine what the target's goals were. And being completely non judgemental and open to someone is a great way to gain trust.
That sounds all nice and good, and maybe I'll figure out how to apply this to my daily life some day. I don't have any need to convince foreign spies to work for my government at the moment.
DEF CON Party: Toxic BBQ
After the talk, I went for an unofficial DEF CON party. It was more of a BBQ than what you’d imagine a vegas party would be.
Nothing much eventful happened during this party. I got to socialise a bit, eat some unhealthy sausages and show off my spice tolerance by eating a ghost pepper. Pretty tame party stuff. For my efforts, I was rewarded a token and seemingly admission into a spicy club.
DEF CON Talk: Cubcon talk
This was a gathering for new DEF CON attendees called Cubcon. I didn't manage to attend much of it as I was rushing off for my next appointment, but I managed to catch a quick talk about software defined radios. I wasn't entirely sure what the purpose of the talk was. The speaker ran through how radios work and what an SDR was and that was it.
Vegas Activity: The VOID - Ralph Breaks VR
I've been to the void Star Wars experience before and I think that was one of the best VR experiences I've had. You get to walk around from room to room. And wear a vest that vibrates if you are hit giving a new level of immersion. I think it's worth trying at least once and it's not too expensive either at less than $40 a person.
Friday 9 Aug 2019
This was where DEF CON really started. All the villages were in full force and the place was completely packed.
DEF CON Workshop / Talk: Rapid Prototyping for Badges
Originally meant as a workshop, the speaker didn't really have time to prepare the workshop materials or slides. But he still did a great job explaining how (Printed Circuit Boards) PCBs work and how to make badges. This is also when I was properly exposed to the #badgelife. For the uninitiated, everyone attending DEF CON will have a default badge (picture near the start of this post.)
But some attendees have much more elaborate badges. These badges are either bought, won, or made before or during the convention. They're almost always made of PCB and have flashy LEDs on them. Wearing 10 gives you some epic street cred. This talk really helped me understand how to start making my own PCB badges. As a consolation, I now also know how to start designing PCBs for my electrical projects.
It ended off with us getting parts to make our own first badge. I was quite happy to have a second badge, as boring as it looked.
DEF CON Villages: Hardware hacking, Car hacking, Aviation hacking, Drone Exploitation, Variety Hacking
I've lumped all these together because they were in the same large room. This is the part of DEF CON that feels the most like a convention. Each of these villages specialise in a different thing. Walking around the room really opens your eyes to all the cool things that people are doing. It’s like Maker Faire but more hacky related.
Hacking cars? Someone (at DEF CON 24) told me that a modern car is basically a computer with wheels. Most things including acceleration, brakes and steering can be controlled with the on-board computer, and car makers aren’t the most focused on security, making cars a pretty unsafe piece of technology to be in.
A fighter jet simulator, complete with weapons systems.
Hacking drones. Drone companies also don’t focus too much on security and there were tables dedicated to letting people attempt to hijack the controls of a toy drone. The first person to reverse engineer the control signals would win the drone.
The soldering village provides a platform for beginners to learn to solder for free. In fact, there are so many things you can learn for free at DEF CON that the $300 entry fee is easily more than covered if you think of it as a 2 day course.
I have no idea what this is. Something like a power grid? But it looked cool so I have a video of it.
DEF CON Demonstration: Social Engineering CTF
This is one of the coolest things I attended at DEF CON 24, and this year, I had to go back for more.
The idea that hacking only entails furiously banging on the keyboard is a lie perpetuated by popular media
as a means to reduce the overall security of systems worldwide.
Most of what we think of as hacking is research and information gathering to determine possible attack vectors. And no, it's not typically done by bypassing a firewall through a DDoS botnet attack and decrypting passwords via quantum fluctuation information theory reversal fields. Most of the time, boringly enough, it consists of someone leaking the information you want by asking nicely. And that's what social engineering is about. Getting people to leak information and give access you wouldn't typically have.
The Social Engineering CTF (Capture the Flag) is an event where a Social Engineer is given a list of tasks they have to achieve simply by calling the company. They are given 20 minutes and put in a soundproof booth while an audience of about 700 people watch them try to get that info.
The flags are simple things that range from getting their OS version, or making them visit a certain website. Typically this is done to get more information about the target company so a hacker can plan more elaborate attacks.
Needless to say, recording is not permitted, and it's a nerve wracking experience for everyone in the room. Sadly, for the demonstrations that I attended, the contestants didn't manage to get many flags. Possibly because it was a Friday at 4pm and no one was picking up their phone. Either way, the experience was completely worth it.
To give you an idea of what I’m talking about, here's an example of a CTF that went really well. I highly recommend watching it, it's a work of art.
DEF CON Workshop: Prosthetics
This workshop is hands down the best thing I did at DEF CON this year. I attended the workshop not knowing what to expect. I figured it had something to do with prosthetics (no shit Sherlock).
I thought it would be something like a regular workshop, where they would have given us instructions on how to do something, and we’d build it. Maybe I would get to take home a model prosthetic limb. What I ended up doing was way better.
Some context: An amputee suffers many inconveniences. Some are obvious, but others less so. One thing I learnt is that they have a problem with overheating. This completely took me by surprise, but the reasoning is quite obvious when you think about it. A human loses heat via their skin, and a lot of skin happen to be on the limbs. Without those natural heatsinks, an individual is prone to overheating, and by overheating I mean getting heat injuries from standing around in sunlight. To make matters worse, prosthetic limbs are not usually very breathable and end up trapping even more heat.
The problem that was presented to us was just that. Chuck, a double amputee, has issues with overheating. He would have to wear a thin breathable shirt during the winter to keep cool, and he would not be comfortable in the summer heat. Our job was to build a device to keep him cool during the summer. We were provided with a bunch of parts and the rest of it was left up to us.
Long story short, we cut up a CPU water cooling system and mounted it onto a brace that mounted onto Chuck. We ran some pipes behind the brace that directly contacted his skin to draw heat away from his body. The heatsink and fans were positioned such that they drew hot air away from his body and cooled the heatsinks as well. Finally, we put a thermometer with a relay and hooked all those up to the liquid pump and fans via a terrible hacky soldering job so it turned on everything when the temperature hit a certain threshold, and turned it back off when the temperature went back to normal.
For a two hour job, I’m pretty proud of what we managed to achieve. I didn’t want to post the picture of Chuck here without asking him, and since I have no way of contacting him, just imagine the device being strapped to the side of a human without an arm.
DEF CON Contest: Whose Slide is it Anyway?
If you're familiar with the improv show "Whose Line is it anyway", this is a play on that show. Participants are given a random slide deck and they have to come up with a presentation on the spot. I wanted to register, but I could not find the registration booth at all. The whole thing was being run by really drunk people and it made for some really hilarious antics on stage. I don't think I'll ever be drunk enough to fit into that crowd.
I watched about three presentations before going back to my room for the night. It was as nonsensical as you'd imagine for drunk people presenting slides made by drunk people.
Saturday 10 Aug 2019
Second day of the meat of DEF CON. Many things were done.
DEF CON Workshop: Intro to Lockpicking
More of a talk than a workshop, but after the talk we got to practice on some locks. I had already done lockpicking at my previous DEF CON so this was more of a refresher.
DEF CON Talk: Understanding and Making PCB Art
In a way this talk was a follow up to the previous day's PCB Badge talk, with more focus on how to make art with the different PCB layers. We went through a workflow from drawing the artwork, to converting it to layers on the PCBs and finally sending it to a factory to be manufactured. It was an eye-opening process and provided a good base to start my future experimentation processes. In fact, I was so inspired that I went on to build a PCB for one of my old projects.
Bonus: Met Scotty from Strange Parts
In the previous talk, the speaker gave some screenshots a video of the factories in Shenzhen, China. Those were from a Youtube channel I follow called Strange Parts. The speaker said that Scotty was wandering around somewhere. Wouldn't you know it, I somehow ran into him while walking to lunch. Cue excited fanboyisms. I would post a selfie here, but that's not really my style.
Incidentally, I met Brian Brushwood from the YouTube Channel Scam School at DEF CON 24. Fanboyisms were had as well. I wonder if I'll be able to keep up this streak of meeting Internet celebrities during the next DEF CON I attend.
DEF CON Village: Lock Bypass
There was nothing here that I didn't already know was possible from watching previous DEF CON talks online, but it was really fun to be able to try bypassing locks for myself. This village had all sorts of locks, from car locks to elevator locks, and they provided the tools to teach you how to bypass those locks. It is one thing to watch a talk about how insecure all our locks are. When you see an expert breaking through doors so easily, you can chalk it up to the fact that it's that guy's job and that's perfectly normal. It's another thing to stick a shim into a door and open it yourself. I guess I'll have to put more locks on my door then.
DEF CON Hands on: Learnt to perform surface mount soldering.
I went to the Variety Hacking Village and they had some badge kits for sale. I had already soldered a simple badge the previous day, but those consisted of the much easier through-hole components. This new board had surface mounted components and the nice people there taught me how to solder. Maybe next year I’ll try some of their RFID kits.
Vegas Places: Chinatown
So I've never been to Chinatown in Vegas before. But it's quite legit. Food is still a bit expensive compared to Singapore / Japan, but it is way cheaper and has nicer food than anything on the strip. Yes, I might be biased towards Asian cuisine, but I still enjoyed it.
Vegas Shows: Watched Penn & Teller
This show is worth it. They are the best magic show I've ever seen in my life. (Okay, maybe also the only magic show I've watched). Either way, they are great presenters and one of the magic tricks involved making every member of the audience do the trick in the comfort of their own seat. Unfortunately I got in late and did not manage to get the props for myself, but almost everyone else seems to have been mindblown so I'll just assume the illusion went super well.
Sunday 11 Aug 2019
Woke up late and checked out. On the last day of DEF CON, most of the workshops are typically over and there aren't a lot of speeches left. I still did manage to attend one last workshop before the end of the day though.
DEF CON Workshop: Exploiting Bad Crypto Found in the Wild!
This talk is probably the most hacker-esque talk that I attended throughout the convention. The main point is that sometimes, developers use custom built hash and salt methods to encrypt passwords or generate tokens. Sometimes, these methods are crackable with some trial and error. That's what this workshop was about. Teaching us techniques to decode a hash by trying out different inputs. Then writing a script to make intelligent guesses about the hash and cracking the encryption and obtaining the passwords. This felt a lot like one of those math Olympiad questions we used to get as a kid, trying to recognise patterns from different inputs.
DEF CON good. Plan early if possible. If not, DEF CON still good.