About a quarter of a century ago, a handful of hackers decided to have a party in a cheap hotel, and had a whale of a time.
Fast forward to 2018, and that get-together has grown into events that will see an estimated 30,000 people converge on Las Vegas for the biggest security shindig in the world – the combination of Black Hat USA, DEF CON and BSidesLV.
While that first gathering morphed into the DEF CON hacking conference, the biggest event is Black Hat USA, which begins on Saturday, and runs through until Thursday, August 9. This is the flashy corporate brother of DEF CON, and features four days of security training, a one-day invite-only CISO summit day (from which press are strictly barred) and two days of briefings featuring everything from government agents to hardcore hackers talking about the tricks of the trade.
Although they have a shared origin – DEF CON founder Jeff Moss also set up Black Hat USA – these days, DEF CON and Black Hat USA are run and operated separately. We've previously described the behind-the-scenes and arduous task of setting up and maintaining computer networks for attendees of hacker conventions.
As a ten-year veteran of Black Hat, your humble vulture can tell you there's a lot to be learned from the event. There are always too many talks to get to and a host of ancillary events. However, the quality of talks is very good. This isn’t RSA, which auctions off some of its keynotes to the highest bidder.
Instead, talks are mostly chosen on merit and originality, and there have been some barnstormers in the past. It was at Black Hat ten years ago that Dan Kaminsky detailed how he discovered a gaping security hole in the globe's Domain Name System (DNS). I asked him at the time why he didn’t just run riot, exploit the flaw, and buy his own desert island from the proceeds. He responded he didn’t want his mother to have to visit him in prison.
But as important are the networking opportunities. The bars and cafes of the Mandalay Bay conference center will be jam-packed with security folks making deals, swapping tips and meeting up with their contemporaries.
Ditch the suits
As Black Hat ends on August 9, DEF CON begins and runs until Sunday, although it's worth staying on an extra couple of days if you have the stamina as there are numerous unofficial events – notably some explosives and fireworks hacking that goes on in the Nevada desert.
If Black Hat teaches you the secrets and tricks you'll need to stay a step ahead of miscreants, DEF CON is for those who prefer to dive straight into the source code, disassembled binaries, and torn-apart hardware. It's the event that hardcore hackers go to, and increasingly bring their kids to so that the next generation of techies can get their skills in order.
Black Hat also has a lot of suits, whereas DEF CON is more a cargo pants and Mohawk kind of affair. Things are relaxed, fun, occasionally drunken and the parties are legendary. Sadly the show has got a little too big for its own good and there's always too much to see and do.
The late arrival is Bsides Las Vegas, which runs on the Tuesday and Wednesday. This is a smallish event, with only a couple of thousand attendees, but that gives it the feel that DEF CON used to have before it got so large.
Last year's event saw a host of interesting talks that were either too controversial or too involved for Black Hat. Again, it's a very informal affair and its pool parties are fast gaining a reputation for being enormous drunken fun.
Hacking the hackers
All three conferences share a common concern for some – the possibility of getting hacked. All attendees are specifically warned to be careful as there are, well, you know, hackers around.
This risk is somewhat overstated. It has been years since anyone was seriously pwned at Black Hat, and the last people caught doing it were summarily ejected from the venue. Bsides, too, takes a dim view of such proceedings.
Dear alt-right morons and other miscreants: Disrupt DEF CON, and the goons will 'ave youREAD MORE
But at DEF CON, it's positively encouraged – indeed there's a constantly updated Wall of Sheep displaying the names of those whose systems or connections have fallen prey to cunning crackers. Anything sent via plaintext – passwords, email addresses, etc – over a public network will be snooped on and writ large.
Only use the DEF CON conference Wi-Fi if you want your system to be comprehensively penetration tested for free. Of course, you're likely to be hit with exploits and techniques for known vulnerabilities; someone's unlikely to potentially burn a zero-day exploit against you in public when such code can earn big paydays from private buyers. Splashing an exploit around for people to capture, keep, and distribute themselves somewhat lowers its market value.
So, just take sensible precautions. Bring kit you don't mind wiping at the end of the trip, don't keep or log into anything personal or sensitive on it, and make sure it's fully patched and locked down. Don't join public or sketchy Wi-Fi and cellular networks. Consider leaving your phone switched off. Don't plug free stuff into your USB ports, and so on.
There are also wider security considerations. You'd be a fool to use the ATMs in and around the conference venues, givein how many card skimmers may be operating. Back when Black Hat was still at Caesar's Palace, an attendee noticed a dodgy-looking cash machine in the hotel. They went to the organizers to let them know, and the conference was abuzz with who was responsible. As it turned out no one was – the ATM had been installed weeks previously by unknown criminals.