By Stephen Heath – VP of Security – Intrinium
“This year feels different,” a friend sighs as we enter yet another of the dreaded “LineCons” that exist outside of nearly every village, talk, and swag area. While crowds and lines are nothing new this year, I can’t help but agree. Defcon is friggin’ HUGE.
What once fit in the modest Alexis Park (whose website boasts “an unforgettable setting for gatherings of up to 1,600 people”), now has overwhelmed the massive Caesar’s Palace and sprawled into the neighboring Linq and Flamingo hotels. Despite all this space, you still can’t seem to get in anywhere. Gone are the days of spontaneously visiting a village or talk, now every action requires careful planning and arriving early. I start getting grumpy.
Time for #LINECON so we can get in to the 4pm @dcskytalks. #defcon #HackerSummerCamp #ComeSayHi pic.twitter.com/uqzd2u1RzL
— Kylie M(egatron) (@0xNBE1) August 11, 2018
“Defcon sucks now and is getting too big,” I catch myself thinking.
Beyond the mass of people, another pall hangs over the conference: the unspeakable tragedy of October 1, 2017 and the effect it had on hotel security. A Google engineer makes an unfortunate tweet talking about how, if he was bad guy, he would choose to “attack” the wealthy of Blackhat over the poor attendees of Defcon. The Las Vegas Metro Police Department becomes involved. They quickly determine that the man clearly meant if he were to launch a cyber attack on the WiFi, but the damage was already done. Caesar’s security trespasses the man and bans him from their casinos. He was eventually allowed back in after about 24 hours, but the damage was done. (https://www.wired.com/story/defcon-tweet-about-hacking-gets-engineer-trouble/)
If I had the time, budget, and motive to launch really good attacks in Vegas, I would:
❌ Attack random Defcon nerds who are probably mostly broke and powerless
✔️ Attack ppl at BlackHat who are way more likely to be in positions of power somewhere with ? to drop on tickets
— Matt Linton ???⚕️⚒️?? (@0xMatt) August 8, 2018
That is hardly the end of it. Stories emerge of unauthorized invasions by hotel security searching guest’s room and photographing personal belongings. One woman reports two people claiming to be hotel security banging on her door demanding entry. Another woman tells of an unidentified man charging into her room without knocking while she was dressing.
Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I'm on speaker phone with hotel security, asking for a supervisor to come verify. I'm terrified. What the hell is this @CaesarsPalace #DEFCON
— Katie Moussouris (@k8em0) August 11, 2018
WTF is going on?
VS.
My first visit to the annual hacker conference was Defcon 17 in 2009 when less than 1/5 of the current attendees squeezed into the (now non-existent) Riviera hotel and casino. I can still remember being blown away by the technical talks and the counter-culture atmosphere. I cheered as a guy hacked the World of Warcraft API to give himself a player vs player heal bot. I was able to network and meet the full Intrinium team. I was mindblown by my first exposure to Metasploit and the goodies it brought to the table. Ah, the good old days of ten Defcons ago… Of course, when we think of the past, we tend to romanticize.
Defcon 2009
- The hallways between talks were more packed than Caesar’s escalators at their worst.
- There were just four tracks of talks and a few rooms for CTF and Hardware Hacking.
- I had to wait three hours to get a badge because they were delivered late and the badge line was terribly inefficient.
- Bringing a kid to Defcon would be considered child abuse.
- Women speakers were a novelty and those just in attendance were as likely to be sexually harassed as they were to be figuratively labeled “scene whores.”
- I had to listen to the old timers talk about how Defcon sucked now and was getting too big.
Defcon 2018
- This year, I arrived at a peak badge rush time and had to wait less than 60 minutes.
- Now there are more villages than ever before and more opportunities for attendees to deep dive into topics ranging from packet hacking, cryptography, and even ethics.
- There are full and half-day workshops where attendees can learn and improve their skills.
- There are more parties than you can shake a stick at.
- Today, children roam the halls of Defcon building the next generation of hackers who pwn voting simulators and even walk away with coveted black badges.
- This year Rachel Tobeck’s WISP organization raised money for 57 Defcon women’s sponsorship, where they got to see women not only attend but continue to emerge as some of the most respected leaders and pioneers in the field.
- I have become an old timer who talks about how Defcon sucks now and is getting too big. At least some things will never change.
The reality is, I’ve had to accept that Defcon is ever-changing and no one year will be anything like the previous ones. There will be good, bad, and ugly.
We expect a venue where our attendees are secure in their persons and effects, and a security policy that is codified, predictable and verifiable. Thank you for your patience while we work this out.
— DEF CON (@defcon) August 13, 2018
I’ll recap some of the highlights in the coming weeks, but in the meantime, I’ll leave you with a crazy thought: If we’ve gone through this much change in only 9 years, can you imagine what Defcon 35 in 2027 will look like?
Want to have the chance to talk about the wild dark world of #Defcon and more, join us for our first lunchtime webinar!
Join Stephen Heath for Exploring the Darknets live webinar on Wednesday, August 22nd at 12:30PST to be a part of the conversation!