By Pres. James
Over the past week and a half, I had the delightful experience of attending BlackHat USA 2012 and DEF CON XX, out in beautiful (and warm!) Las Vegas. Who better to
brag to share that experience with than all of you
here in DC Geeks?
What Are BlackHat and DEF CON?
While they are two separate events, BlackHat and DEF CON are inextricably linked. They are both computer security conventions, but have incredibly different atmospheres. Both were started by Jeff "Dark Tangent" Moss.
|The "Dark Tangent" looking pensive (image by Jason Scott)|
DEF CON was the original convention. It was founded, more or less, as a way to get a bunch of hackers together to hang out, drink, and exchange ideas for a weekend. In a first for hacker conventions, they also invited a law enforcement representative. Jeff conceded it was because they knew they were going to be watched, so why not know who it was?
DEF CON continues to be dominated by hacker culture and is famed for its parties, crazy antics, and occasional arrests during or after presentations.
BlackHat, on the other hand, represents the corporate side of the security industry. The cost is much higher, and the talks are more formal. Occasionally, you might even run into someone wearing a suit! In addition, BlackHat offers intensive training classes, a large vendor hall, and catered lunches and receptions.
The differences are pretty clear, right?
This was my first year attending BlackHat, and it was quite an experience. After flying out to Vegas on Friday and checking into Caesar's Palace, the traditional host hotel of the event, I started a class the next morning.
|BlackHat takes the weight of each soul (image by heartbeaz)|
For the first four days of the event, participants are in classes from 8:00AM until 6:00PM, with occasional breaks for coffee, snacks, and lunches. These are all sponsored by security product vendors. The teachers are among the best in the field, including people like Chris Eagle (author of the definitive book on IDA Pro for reverse engineering, and one of the ones in charge of keeping Capture The Flag working at DEF CON - but more on that later.)
The days pass quickly, and the nights can be full of vendor-sponsored parties or of Vegas fun, depending on your mood. For these first few days, only a few thousand people are present, but that changes quickly.
Wednesday, the big event begins, called the Briefings, which bring around 7000 security-minded people to the hotel. (There are "Executive" briefings on Tuesday, but you literally have to be a C level executive of a Fortune 1000 company to be invited, so most of you probably don't need to worry about those.)
The Briefings are panels, about 45 minutes long, on diverse subjects involving anything from the highly technical (how to break a particular encryption method) to the big-picture (what direction is application security going, and is it the right way?).
Each day also has a keynote. While I missed the first, the second day was Neal Stephenson, who was there to talk about himself, hacker/maker culture, his works, and how those works inspire people. Of course, as soon as he stepped on-stage, Twitter went down in a flood of tweets.
BlackHat is where the vendors really come to spend money and get their name out. On the two days of the briefings, each night had at least five large-scale, vendor-hosted parties. That is to say nothing of the free swag and prizes being handed out in the vendor hall, and the equipment and booth babes brought in to draw attention.
The parties are big, though. I attended two of them this year, one for RSA and one for iSight. They can be exclusive, too – invites to some parties required knowing someone, winning a drawing, or somehow "being on the list."
The RSA party was impressive. They rented out an entire upscale nightclub in the Mirage (1 Oak Las Vegas) and given it a half-cyberpunk, half Tron-like theme. The back was filled with arcade cabinets and mist from a fog machine. The front had Tron-costumed dancers, while electronic music thumped and alcohol flowed freely and for free. Most of the night was spent partying with a group of Australian security experts who had come for the convention.
The iSight party, on the other hand, I attended because my previous boss just began work there. They acquired the Real World suite near the top of the Hard Rock hotel and opened it up with, once again, an open bar, plus a live band and magic-performing little people. I was a little disappointed, but mostly because when the party was first pitched, I had been promised elephants! There wasn't a single trunk to be found.
After attending to my professional duties at BlackHat, it was time to enjoy the more informal setting of DEF CON.
DEF CON is in my top two favorite conventions of the year. That should say something, considering I attend more than a few other cons (including MAGFest)! It's an experience that really isn't replicated anywhere else, though. Even the details are exciting.
|An example of this year's vendors' badge|
(image by Eliot Phillips)
For instance, this year's badge consisted of an eight-core propeller circuit board. It could natively "talk" to other badges and keep track of what sorts you had interacted with. When held in front of another badge for a few seconds, a light would flash to signal that the board's IR sensor had recorded the other badge's type. Connecting to all the types unlocked a special message.
It also came with a VGA port, a USB port, and two PS/2 ports so you could hook it up to a monitor, keyboard and mouse to work on it. In addition, there were puzzles hidden in the code, the symbols printed on it, and even on the lanyard. Each year a hacker by the name of 1o57 runs contests for who can get the furthest in figuring out those puzzles and many others hidden around the convention.
This year, over 14,000 hackers attended DEF CON. In addition to having puzzles to work on, there were plenty of other events running as well. There were competitions to decrypt passwords, find data in network streams, go on a scavenger hunt around Vegas, shoot well, pick locks, and more. The contest that stands out, however, is Capture The Flag.
Capture The Flag (CTF) is a fairly simple competition, in theory. You're given control of a few servers, so is everyone else, and the objective is to score points by hacking other teams' servers while defending your own. In practice? Less simple.
There were a few versions of the game running. BroCTF was a constantly running version where people could drop in and out as they pleased. OpenCTF was an elimination bracket based on rounds. The most coveted form, however, is simply called CTF. It gets its own room, and entry is strictly regulated.
For a team to play in the DEF CON CTF, they have to either win a regional qualification tournament or win another well-known CTF event. The previous year's winner is also traditionally allowed to return to defend their title. This year, one slot was auctioned on eBay, bringing in over $4000 for charity, as team Occupy EIP didn't qualify but was willing to spend the money to compete.
|Freakshow Party DEF CON XX (image by Michael Wifall)|
There's also a vendor room at DEF CON, though instead of multi-million dollar production systems, this is more geared towards selling t-shirts, stickers, lock picks, and various electronic tidbits, along with things that go bleep, blinkenlights, and similar items.
The programming track at DEF CON, however, is a series of talks similar to those at BlackHat. In fact, there's enough overlap that BlackHat has been called "practice for DEF CON, but with less drinking." However, there is enough new material to go around.
The thing that DEF CON is really known for is its mischievousness and crazy antics. The DEF CON wireless network has been called "the most hostile network in the world." A projector is running 24/7 to project the names and passwords of people who have logged into things on it unwisely.
This year, a team of hackers brought in their own cell phone access point and handed out custom phones to people that would only work with that tower. Speaking of cell phones, apparently someone was jamming the AT&T signal in the convention center.
In previous years, slot machines have been hacked, management networks have been brought offline, fake ATMs have been installed, and RFIDs have been sneakily scanned and collected. As a general rule, no lasting HARM is usually done, but... it's a good idea to wipe your laptop and your phone when you get home.
DEF CON has lots of parties and entertainment as well, including inviting The Crystal Method to perform in one of their main tracks this year. As expected, it was quite a hit. Despite all of this, DEF CON really is an opportunity: an opportunity to meet other people who are genuinely excited about what they do.
What they do may not be what you do, but that just means you can learn something from each other! Between the hardware village, the wireless village, the lock pick village, and the talks that draw from an incredibly diverse set of interests, there's bound to be people who share your passions, as long as you like to make or break something.
You never know who you're going to meet. At one of the pool parties, I met a hardware specialist who just so happens to also be a blacksmith and a brewer. The main emphasis is simply on doing, not passively consuming. As long as you agree with that, you'll find a place at DEF CON.