DEFCON: A Beginner's Guide
What started as a simple guide, became a 2000+ word brain dump of my past years' experience and learnings of Defcon. From Tickets to Villages to Digital Safety, join me on this journey...
If you’ve never been to Defcon this guide is for you. Here I will attempt to break down in my own words what to expect, a bunch of tips, and some things you can do to have a better experience. I recommend reading as many guides as you can to get a good understanding of what’s out there and what’s best for you.
I tried to keep it brief and short, around 1200 words, but I ended up around 2000 words. I still have more to say lol. Maybe I can do a video?
Thanks for reading Last Week As A vCISO! Subscribe for free to receive new posts on cybersecurity for SaaS leaders.
What Is Defcon?
Defcon is the largest hacker conference in the world, however I use the word “conference” a little liberally here. It first started off as a party at a hotel for a bunch of hacker friends, and has since blown up to an annual pilgrimage for anyone that considers themselves a “hacker”. For an expanded and true definition of the word hacker and hacker culture start here and here.
So this might be a good time to expand into the different types of Defcon experience one may or can have.
Why I Go?
Defcon re-energizes me. That’s it. It’s a place where people think like you and you are accepted. It’s about spontaneity and connection, which is me. That’s it. In security you’re always fighting an uphill battle, and at Defcon you get to share your battle scars and war stories. You don’t feel alone here.
Speaking at Defcon is often considered the pinnacle of one’s career. The talks can range from groundbreaking offensive research, to very academic research, to a wildly entertaining talk about dying and coming back alive. There’s also the story about stealing a hacker’s computer.
All the talks are recorded and even streamed live at Hotel rooms participating with the conference. The really famous/anticipated talks will have lines on them sometimes starting an hour ahead of time just to get in… aka LineCon.
There is something about watching a groundbreaking and exciting talk in person, with friends or by yourself, that can’t be replicated via Youtube. If you’re new, def checkout some talks. If it turns out boring, just leave, it’s ok.
For many, especially old timers, waiting in line for an hour prior is not something of interest anymore. Up to you.
Before you go, spend some time reviewing the Defcon Schedule and speakers and note the talks that interest you.
Rank the ones you think are important to you. Ranking is important, because as you will see in this guide, there are A LOT of things to do at Defcon so you might decide to not go to a talk if it’s not a big deal for you.
When you get the schedule in handle, circle the talks so you have everything in one place
This is my favorite, but as mentioned I’ve been going for a while so I’ve been lucky to make friends along the way. In fact, I even plan for this in a way. Yes, planning for the unplanned.
So what is LobbyCon? Well, it’s just meeting friends (or random people) in the hallways and catching up with them. For many of my security friends, I only see them IRL once a year and for me, it’s all about the human experience, so I will stop to say hello and catch up personally.
So much information is exchanged in these encounters along it’s hard to enumerate, but here’s an example:
Life updates (<- Important)
What talks are good and interesting revelations
Good events to catch 😉
Meet new people (friends of friends)
Just like online, meeting friends of friends is a good way to make new friends and this has been my experience over the years. I’ve made some great connections over the years.
Caveat: I’m a bit of an extrovert, so YMMV. However if you do LobbyCon with a friend, it might make it a much easier experience.
One time I met a friend and fellow podcaster, Jack Rhysider, and I just walked with him while he was researching a new story. It was a great way to catch up. We both had to go our separate ways eventually, and that was it.
T-Shirts are a big deal at Defcon and in Hacker Culture, especially if they are snarky or have a funny twist. For some amazing shirts, checkout the folks at Miscreants. They’ll have a booth at Defcon as well.
For the adventurous… don’t be afraid to complement a stranger on their t-shirt and where they got it from. Be polite of course, and follow the CoC. Keep in mind not everyone may be as socially forward as you.
Every year there are an ever increasing number of villages at Defcon. In a way, this has become the new defcon experience.
Imagine a room full of hackers focused around a particular topic. Before it was just IoT, Car Village, Social Engineering, ICS, Lockpicking… but now it’s expanded to non-technical areas such as Blacks In Cybersecurity, Girls Hack, and Misinformation as well as focused technical areas such as the Cloud and Adversary Village.
The Skytalks are still one of my favorites as you may hear things you may not hear anywhere else. Tamper Evident village and contest is very cool too.
Swing by each village at least once to get a feel. Friday is a good time to do so
Check twitter or their locally postedl schedule for talks
Things are subject to change, it’s a village
Each village might have a contest look for some. The Packet Hacking Village is open to all for example (laptop required).
Checkout the following talks by friends (Lmk if I missed you):
Oh There Were Talks? (Aka Parties)
Parties. There are a lot of parties and they go until the wee hours of the morning.
Many people attending defcon go only for the parties. I mean it is how Defcon started and it IS Las Vegas. Also, for many people you don’t get to see many of your friends in real life until this time anyway.
Not all parties are Hangover style parties.
There is a whole twitter for official parties and only word of mouth for the unofficial parties. You can find them off the main DEFCON page.
I’m a 24 hour kind of guy, so I LOVE the chillout lounge. It’s a place where you can go to decompress and be with your thoughts if you need. The space is open 24 hours and during regular hours has food, coffee, and snacks sold there as well.
Events To Checkout
For all Defcon events: https://info.defcon.org/events/
I almost forgot, if you’ve never been… an entertaining event is Hacker Jeopardy. (Sat @ 8pm). It’s especially fun if you’ve been a lurker in security for awhile.
As a movie fan I love this event! Watching a hacker movie with a bunch of hackers is an awesome experience. Also a good way to discover new movies.
Looks like Defcon will be hosting 2 Double Feature Movie Nights this year!
Friday @ 8pm - https://info.defcon.org/events/49009/
Saturday @ 8pm - https://info.defcon.org/events/49010/
The 13th Floor
Meet The EFF
A good event to hear straight from EFF organizers and people.
Play classic arcade games or participate in a 16 Player LED foosball table!! Definitely a fun event that’s friendly for all types, even non-partiers. ArcadeParty.org
One year there was a random sticker meetup. It was EPIC! Everybody came in with their stickers and dumped them in one conference room. It was not an official event and totally organic. This year it’s Friday @ 5PM
Here's what I got:
Being such a large conference as it is… logistics deserves its own section.
⚠️Wall Of Sheep
There is a Wall Of Sheep at Defcon where usernames and other information from INSECURE connections is displayed on a screen. Yes, some companies are still using IMAP without TLS. 😭
Defcon Personal Digital Safety
Probably the most important thing to realize if you’re new is that this isn’t your home wifi.
As a security person (enthusiast, professional, etc) you will need to start practicing and increasing your security awareness and operational security (opsec). A few small steps will go a long way here.
I tried breaking this down by category, but I’ll just put a list of maxims you should consider. The first two are a must. Also, this does not apply to all of Las Vegas, mainly in the conference floor areas.
Don’t go on the public Defcon wifi unless you have a chromebook for this purpose.
Turn off your bluetooth.
The secure wifi is pretty secure. Here you can download a certificate ahead of time (do so on a secure network please) and set up your devices to ensure you have good connectivity. Unfortunately this year, it might not come on until the con starts, which is a bummer. Before you could set it up in the safety of your home.
Secure Wifi: https://wifireg.defcon.org/ (Do this from a secure location like via tether or home network, not on Public Wifi)
SMS messages are unencrypted. Expect them to be snooped by anyone. This is true whether you are in Vegas or not.
Have an always on VPN handy and configure it so that your phone cannot communicate with the internet unless VPN is on.
Install Signal and Telegram while at home. People will be using these apps, so exchange info with them ahead of time if possible.
Do NOT conduct bank or financial transactions anywhere near the conference floor.
Do NOT login to your work VPN (esp without 2FA) from any public place (this is regardless of Vegas)
LTE is somewhat secure. So if you’re using an LTE connection and your connection is TLS, you might be alright if you need to hop on.
This also assumes you’ve taken some Personal Security Measures like enabling Google’s Advanced Security and 2FA on all accounts using TOTP, not SMS. This is regardless of Defcon or not.
The further you are away from the Defcon, the more normal you can behave in your digital safety.
If you plan on participating in a contest, bring a separate clean laptop for these activities (See Packet Hacking Village)
Again, you should run a threat model against yourself and understand the risk to the data on your devices. This may include work data, personal pictures and communication, and etc.
Everyone has a different level of risk tolerance and data exposure. For example, an FBI agent has a different threat model than an MSSP with access to multiple customers to a marketing person.
Defcon Tickets and Badges
The Defcon badge is often one of the coolest pieces of art made. In fact many people have them hung up on their wall, and others have a whole other level of enthusiasm with badges (#badgelife) where they collect different ones.
This year Defcon tickets were briefly on sale via Spotify, a first. See below for details.
However, if you’re reading this now and didn’t get your ticket with BlackHat, then you will need $360 in cash and show up at the conference to pick em up.
Sometimes badges run out.
Go on THURSDAY to pickup badges. If you can’t, then go earlier on Friday, but expect a line, especially after 12pm. (YMMV post-pandemic)
Keep a lookout for previous con badge giveaways (see below)
The badges are often hackable. Have a serial/usb cable as well as a linux shell handy. Oh and a variety of extra batteries if you’re going to be serious about it.
Las Vegas & Defcon
Here is what you need to know about attending a conference in Las Vegas in the summer.
It’s VERY HOT outside
The distances between hotels is misleading if you look at a map. This was one of the first things I learned when attending Defcon. It’s at least a 15 minute walk to just the next door hotel. Not to mention getting out from inside the con. Google map the walking distance.
Expect to walk a lot
Parking is no longer free (used to be once upon a time ago)
So seriously, the security at casinos in Las Vegas is really robust. It’s not their first rodeo with us there. That being said though, I try to take cash with me before the conference or at least use ATMs at a different casino or something.
Of course the ATM at the local walgreens will not be as protected as one in a Casino.
Get cash before you travel
Use standard ATM safety precautions
What About BlackHat and BSidesLV?
I would be amiss if I didn’t mention Blackhat and BSides Las Vegas here. Here’s a quick breakdown:
BlackHat is the corporate version of Defcon and widely different. It’s a different demographic, culture, and feel. It’s basically an RSA in the dessert. It’s filled with executives, vendors, and polished CISO’s. There is a higher entrance fee, 10x more vendors, and a more expensive venue.
I do NOT recommend paying for this conference out of pocket.
BSides Las Vegas
BSides started off as a side conference to an existing security conference, and later grew into its own conference. BSides Las Vegas has a feel similar to how Defcon felt about 10+ years ago. It has a smaller and more intimate setting and feel to it.
I highly recommend going if you can.
Did I Miss Anything Else?
Whew, I thought I would keep this under 1500 words, but looks like I got a little carried away. There are a few other topics I’d love to explore, but I think I got the main points out.
I’ll be updating this guide continually to make it a living document.
After reading now, I think you’re ready to watch the documentary:
If this article was helpful to you, please share and tweet.
What was your experience like? Any suggestions? Leave a comment below.
Thanks for reading Last Week As A vCISO! Subscribe for free to receive new posts on cybersecurity for SaaS leaders.