It's that time of the year again: The trinity of infosec conferences
A quick guide to Hacker Summer Camp
Black Hat Another year, another Hacker Summer Camp – the collective phrase for BSidesLV, Black Hat, and DEF CON, the infosec conference trinity that traditionally takes place around about this time of the year in Las Vegas.
An estimated 40,000 people will be heading to the scorching-hot US city this week to hear all about this year's computer security failures and successes. You can catch our coverage from the shows right here.
What started with a June 1993 party in a Vegas hotel is today the largest gathering of IT security folk on the planet. It's also a tough week for the casinos. As one worker on the Strip remarked: "You guys never bet on the poker machines," to which the response was: "Most of us studied math."
Here's what those attending can expect.
Digging in for the whole week
For some, they'll be plonked firmly in training sessions and classes for the first few days. Like the Vegas tourists around them, most people are coming for the main shows – namely Black Hat USA 2023 and DEF CON 31.
While sessions at those two events are important, folks can pick up some useful tips and industry info at the smaller BSidesLV. What started as a place for rejected conference talks has grown into a thriving space for challenging discussions. Some presentations are worth investigating, some can be a bit niche – but if you're in the security space, it's worth popping into.
For instance, on Tuesday there were a couple of talks on the IT security of the food supply chain.
On Wednesday, in a talk aptly named "The British are coming," the software cyber resilience lead in the UK government's Department for Science, Technology and Innovation, Charlie Gladstone, will be speaking about Internet of Things security, protecting digital infrastructure, and more, along with David Rogers MBE, and Peter Stephens.
David Stocks and Julia Wighton of PwC's cyber security and digital trust team will share details on how to deal with security incidents and track down the root cause. Given PwC's MOVEit-related problems he may have some inside information.
Not only do you get a good set of briefings at BSidesLV, the crowd is a friendly one, and it's an excellent place to build contacts and mingle with like-minded techies. Plus the BSides parties are the best you'll get this side of DEF CON circa 2004.
Over at Black Hat, after a few days of training sessions, on Wednesday the actual briefings begin, and thereafter follows two days of more talks – far more than anyone can get to – on the latest security issues and challenges. The selection of keynote topics this year is also intriguing.
A must-attend keynote on Wednesday afternoon is a chat between Jen Easterly, the director of the US government's cyber security agency CISA, and Ukraine's deputy chairman of the State Service of Special Communication and Information Protection, Victor Zhora. Given the current state of the war, it could be a fascinating discussion, moderated by journalist Lily Hay Newman.
The Wednesday morning keynote is unusual. Maria Markstedter, Arm CPU specialist and founder of Azeria Labs, will be exploring the likely effect of AI on security. This is going to be a central theme of the show and there are multiple talks scheduled on the topic.
Finally, for those wanting an update on what Uncle Sam is doing to shore up its cyber security, Thursday's keynote will be given by Kemba Walden, the acting US National Cyber Director for the Executive Office of the President, who is set to explain the finer points of that strategy.
There's also a plethora of IoT security sessions scheduled, and a lot on the perils and benefits of cyber insurance. A good example of that would be a talk by John Caruthers, formerly of the FBI, on Wednesday afternoon.
In the past there have been some notable sessions, including the late Dan Kaminsky's 2008 presentation on how he discovered a DNS-level vulnerability that could have been exploited to break the internet; Barnaby Jack's cash-spewing ATM demonstration; and Charlie Miller and Chris Valasek's talks on compromising not-so-smart vehicles.
Sadly, not all talks are of such high standard, and with so many on the schedule, you need to choose how to spend your time with care. Even then, you may end up disappointed. When Apple decided to present at Black Hat for the first time in 2012, there were large queues to get in – but the actual talk was just a disappointing rehash of a public white paper. Still, gambling on something is part of the fun of Las Vegas for some.
In addition there's the expo floor – smaller than what you'd find at, say, the RSA Conference, but generally with more interesting stands. The US government is there in force, looking to recruit those willing to serve the country, and can be unusually candid at times.
Getting down with DEF CON
While there are suits aplenty at Black Hat, they're rarer than hen's teeth at DEF CON: it's a much more relaxed affair. T-shirts and cargo shorts are more normal, and there are usually some costumes in sight.
One tip is to avoid wearing a red T-shirt. These are traditionally worn by the Goons, who act as guides during the DEF CON show and are undoubtedly the most friendly and approachable conference representatives this vulture has ever seen. Wear red, and you might get mistaken for one and find yourself badgered by attendees.
The DEF CON talks are a little more practical and a little less policy wonkery than that of Black Hat – only a little, mind, at least this year – and organized into tracks of presentations each typically lasting 20–45 minutes, spread over Thursday to Sunday. The lines for the most popular talks are brutal and can lead to disappointment, so get there early if you want to ensure you get a seat.
DEF CON founder Jeff "Dark Tangent" Moss will again handle the keynote on Friday. He'll be joined on stage by secretary of the Department of Homeland Security Alejandro Mayorkas. The conference used to run a competition called "Spot the Fed" (and occasionally Spot the Journalist) to find government agents concealing their identity at the show. Now, you're going to see plenty of Feds at the 'con, as law enforcement has figured it's better to work with security folks to sort out problems.
It's a sign of how egalitarian the show is that Moss – who also created Black Hat in 1997 four years after the first DEF CON – will be competing with other speakers. Some members of the famous hacker group the Cult of the Dead Cow will give a talk on a secure peer-to-peer, decentralized system called Veilid, which is pitched as offering similar privacy to Tor and which comes with a state-of-the-art encrypted messaging app.
Also competing with Moss is a talk about this year's AI hacking challenge – the largest one yet of its kind – at DEF CON 31. Anthropic, Google, HuggingFace, Meta, Nvidia, OpenAI, and Stability are providing the models to be probed.
The presentations are fairly informal (speakers making their maiden DEF CON talk are encouraged to do a shot of spirits before starting, which may help steady the nerves). A Q&A session usually follows the talks and this is often very informative, given the caliber of the audience.
- Ukraine's cyber chief comes to Black Hat in surprise visit
- Starlink satellite dish cracked on stage at Black Hat
- Security needs to learn from the aviation biz to avoid crashing
- As Black Hat kicks off, the US government is getting the message on hiring security talent
But what makes DEF CON so useful isn't the main track talks – it can be found in the villages. These are get-togethers of security folk focused on topics as diverse as satellite hacking, industrial control system subversion, and lockpicking, to advanced social engineering. There's also a kids section for those bringing their offspring. There are over 40 to try out.
The satellite-hacking village looks particularly interesting. The US Space Force has lofted a physical satellite specifically for its Hack-a-sat competition this year, and will let teams compete to show who can subvert the orbiter in the most interesting way.
Many of these villages have their own training talk sessions. The biggest advantage of the gatherings is that you are surrounded by like-minded people who are generally approachable. It's a great way to get expert advice on a topic you're interested in and make friends who share the same passions.
One final word on security. DEF CON is really the only one of the three shows where someone is plausibly going to try to compromise your equipment. For a start, there's the Wall of Sheep, run by the packet-hacking village. This typically picks up unencrypted login attempts and other unprotected activities over the conference network, and may publish obscured details of these slip-ups on a giant screen. If you see yourself up on there, have a rethink about your personal security.
Some people will be shameless, though. DEF CON remains the only show where I've observed someone trying to actively break into my stuff remotely. Use burner devices – or anything that doesn't have anything too sensitive or interesting on them – that are fully updated, and suitably firewalled with no external services. Keep them in airplane mode until connectivity is needed, and avoid the public network: stay off the Wi-Fi and use a secure VPN over cellular, and you won't look like low-hanging fruit.
Don't leave gear unattended, and keep an eye out for any suspicious activity or anyone trying to stick a cable in your ports. That's not a Vegas euphemism.
Other tips and tricks
With the high temperatures this year, here's a general rule of thumb for summer in Sin City: always be hydrating, and we mean with water. Most of your time will be spent inside heavily air-conditioned rooms that will dry you out. Or worse, you're going outside. From a dehydration standpoint both are less than ideal, though there are water coolers everywhere. Bring a water bottle you can refill, and drink as much as you can.
Comfortable shoes are also a must. There's a lot of walking involved between sessions, a lot of standing around waiting in lines, and this takes a toll on the feet. I know one brave soul who said she made it through the whole of Black Hat in high heels – but it's not advisable.
None of the conferences are requiring face masks, although they are recommended. With any event on this scale, with people flying in from all over the country and world, conference cough has always been a thing. With COVID-19 the stakes have got slightly more serious. Do as you will in line with personal choice.
When it comes to food at a conference on the Strip, your choices are: reasonably priced, good quality, or on-site. Of these options, you get to pick two. If you have time, it's worth taking a taxi to somewhere that fulfils the first two choices, and Las Vegas has some great food choices if you leave the main thoroughfare.
All three conferences are dispersed – Black Hat's down at the end of the Strip and DEF CON and BSidesLV are spaced out. If you're going to get a taxi, book early and don't trust the estimated time on your mapping function. And for Black Hat, specify the convention center, not the hotel. The monorail doesn't go all the way down to the Mandalay Bay but there's also an off-Strip bus service that is nearly as fast as a car, at least at rush hour.
Finally, remember to have some fun. Sure, Black Hat is mainly about networking, but there are some good parties too. DEF CON and BSides are much more relaxed and have brought about some lasting friendships. ®