Black Hat vs. DEF CON

Introduction

This will be the first blog in a series describing my experiences from August 3rd through 10th in Las Vegas, Nevada for Black Hat and DEF CON, two of the best cybersecurity conventions in the world!

Black Hat and DEF CON are both run by the same organization, UBM, with tons of big-name corporate sponsors like Microsoft, FireEye, RSA, Veracode, Cisco and Qualys. Thousands of people come out for both events, with companies sending their security employees for training in the most cutting-edge cyber topics, or even presenting their own security research findings to the rest of the attendees in the briefings. Despite being affiliated with large companies today, these conferences actually began as an unofficial gathering of hackers (someone was literally just throwing a really big party in Vegas). And so, in 1993 DEF CON was founded by that someone, Jeff Moss, aka American hacker “The Dark Tangent”. He then started Black Hat in 1997 as a more professional conference, geared toward the commercial security industry. Black Hat now takes place all over the world, and the USA conference is always held the same week as DEF CON in Las Vegas.   It is still pretty much a party, and every year more and more people come to celebrate.

There are a lot of differences between Black Hat and DEF CON. This blog is going to be about my experiences, but I would like to preface this description with the fact that I had an amazing time at both conferences and would love to go back! That being said, I will be candid, sharing my personal opinion about what I liked and didn’t like so newcomers will have a good idea of what to expect when they’re there. I’m sure some people might agree and some people might disagree, but it is my personal opinion. At the end of the day, it is just one perspective, and I encourage everyone to really experience these conferences for themselves!

First, the cultures of Black Hat and DEFCON are contrasting.  If I were to describe DEF CON to a random stranger, I would tell the person to think of a death metal concert, and just imagine that those same people with beards, black t-shirts and mohawks are also hackers.  Black Hat is by far the more professional of the two conferences, while DEF CON is more of a Warped Tour for hackers.

Black Hat

This conference is very well organized, with scheduled coffee and snack breaks, some free food, a business hall for recruiting and product pitches, and a lot of famous speakers.   This year was particularly interesting, as the keynote was given by Attorney Jennifer Granick, who is well known in the hacker community for her beliefs on intellectual property and for defending a lot of high profile hackers such as Aaron Swartz and Kevin Poulsen. I was very impressed that there was a female keynote speaker— in Black Hat’s 19 years, there has only been one female keynote speaker before Ms. Granick. Her speech was very interesting, and opened up my eyes to an area I knew very little about: cyber policy and the Electronic Frontier Foundation.   As a part of the first generation to grow up with computers at home and the internet, I realized that I take this open access to information and ease of use for granted, so being able to listen to one of the early adopters of the internet, and what the “hopes for it” were, was quite a compelling topic.

All of the briefings at Black Hat are very well chosen, and I enjoyed most of the ones I attended.  One was canceled at the last minute because the speaker had trouble getting a U.S. visa, but I think that is a pretty normal occurrence because no one seemed shocked. The most popular briefing, and by far my favorite, was about the Jeep hack, presented by the partners in crime themselves Dr. Charlie Miller and Chris Valasek. I was able to see some footage of the car being driven remotely and different things happening like turning on the windshield wipers and turning off the brakes. It was a great mix of technical content and humor, which kept the audience thoroughly engaged.

One of my favorite parts about Black Hat were the two groups I was able to take part in. The first group was the “Academic” group, so I had the opportunity to meet a lot of other students who had also won the Black Hat scholarship to attend the conference. It was nice to meet some people my age and just talk to them for a little about what we expected, as most of us were brand new to the conference. Also, I loved getting to meet the Executive Women’s Forum members.  It was wonderful to meet them, partially because there were free lunches available, and partially because of the great networking and advice. I also very much enjoyed a panel I went to called “Beyond the Gender Gap” which was literally a panel of InfoSec women just talking about what it was like to be a woman in information security, with no reservations.

 

Additional Pros:

  • I liked getting free stuff in the Business Hall! I needed an extra suitcase for all of the free t-shirts. I also won a Raspberry Pi Courtesy of Lockheed Martin. I love free things, especially free hardware.
  • The people helping out are courteous and kind. I don’t know if they were staff of the hotel or hired by the conference, but they were very nice to me whenever I had questions.
  • There’s adequate seating at talks, and it is pretty easy to get from talk to talk on time

Cons:

  • The happy hour in the business hall. I recommend passing out your resumes BEFORE the drinks start coming out.
  • Way more expensive. Like, impossibly expensive. (One training is $3,000. I hope I get a job that will pay for me in the future to go to Black Hat)
  • So much security, so little time, I think that just two days of briefings (unless you did 4 days of training) is too short. And, one of the two days overlaps with DEF CON. That is kind of dumb. Especially because next year I believe the last day of Black Hat is the same day as the DARPA super computer CTF competition.

 

DEF CON

This conference was fun to go to, mostly because I got to hang out with my dad. It was nice to know someone there, instead of wandering around all alone trying to find someone to talk to. And, he knows a lot about cyber security, so when I had a question, I could just ask him!

I loved the simplicity of some of the DEF CON talks on the “DEF CON 101” track. Compared to Black Hat, these talks were geared towards absolute beginners in their respective areas, so it was helpful when you were learning about something for the first time. Other talks outside this track were also very useful for security beginners, like how to set up a malware analysis workstation and a free Kali Linux workshop. Some of the more advanced talks at both conferences, if they weren’t in an area I was familiar with, would go over my head, so I wasn’t able to get as much out of them.

My favorite briefing was called “I Will Kill You”, which explained an unfortunate loophole in both the Australian and U.S. social security and medical systems that allows someone to (illegally) pose as a physician and a mortician to write you a fraudulent death certificate. The person can then proceed to give away all your assets via a falsified will, either to themselves or to a fake child whose birth certificate is approved by the fraudulent doctor.   Although this cyber exploit is absolutely illegal on a variety of levels, the briefing was entertaining to watch, especially because the lack of validation and security in the systems. lt was pretty outrageous. I wouldn’t have believed it if I didn’t see it for myself at DEF CON. And the worst part about it? Sometimes when a person is “killed” they actually can’t legally “come back to life” because there isn’t really legislation regarding people that were considered dead and are not actually dead. So, if someone “kills” you, you’re pretty much dead for the rest of your life.

My other favorite part was the “Sky Talks” which not a lot of people know about, because they aren’t really advertised and they don’t publish any official schedule. My dad and I went up there (You could see the Vegas skyline, it was beautiful) and we were warned about not using recording devices or taking pictures. We happened to walk right into a panel of real hackers from the 80s and 90s, literally some of the first people to ever attend DEF CON( and to be defended by Jennifer Granick). Most of them had hats and sunglasses on to protect their identities.

 

Additional Pros:

  • I liked the people I met there, and I also liked dressing casually. It’s so nice to just wear shorts and a t-shirt, instead of heals and a blazer.
  • DEF CON is wayyyyyy cheaper than Black Hat, and the merchandise is cheaper. I bought a t-shirt from a past DEF CON for like $15. I just wanted a shirt that said DEF CON and I liked it’s design better than the DEF CON 23 ones, so it was a win-win.
  • There’s more days, so you can see more briefings and there’s a bigger variety of things going on.
  • Lots of free stickers for my laptop!

Cons:

  • Some of the “Goons” (aka the people that volunteer to work at DEF CON and direct traffic and in general help out) were kind of rude. Some were just plain mean when you asked them questions…I thought that was what they were there for! At first I thought it was just me, but other people expressed the same sentiment. I didn’t like that, especially in comparison to the people at Black Hat, who were so nice.  I know there’s mean people everywhere you go, but it was really off-putting.
  • There was this one talk I went to in the packet capture village. But there was also a DJ in the packet capture village. So it was pretty annoying because you’re trying to listen to this guy talk, and then there’s this DJ playing louder and louder, and you’re like PLEASE STOP PLAYING MUSIC. I did not return to the packet capture village.
  • I didn’t like having to walk through the casino because of the smoking inside. The conference was split between the two buildings, Bally’s and Paris, that are connected via the casino, so it is pretty impossible to avoid but also pretty annoying.
  • I know that space is always an issue because there are just so many people there, but there were severe bottlenecks that made it pretty impossible to see all the talks you wanted to see, or even just run to the bathroom in between talks.   There is a lot going on, and so it is already hard to do it all because things are at the same time, and it is really difficult to walk through the crowd, so if you’re not careful you may end up standing in the hallway for most of the day.
  • There were no dedicated things for women. Not that I don’t like guys (in which case, I should change professions) I just like meeting other girls to talk about girl stuff with.  They are always talking about how there are not enough women at DEF CON. If they hold an event for women, then we would all be in the same room and see each other and realize “OMG there are women in this field for me to be friends with!” like at Black Hat. I think there ARE a lot of women at DEF CON, but we need to all be in a room together to notice.

 

The Weird and Uncomfortable

I had to put weird and uncomfortable things section down, because there might be some things that make you feel weird and/or uncomfortable at DEF CON or Black Hat and you should know about them.

  • DEF CON has a tradition of making the new speakers take shots on stage. I thought it was weird, mostly because I wasn’t expecting it, and at 10:00 in the morning it was not so professional.
  • They curse a lot. This might bother some people, so I thought I should mention it. Actually, both conferences curse a lot, but I think they curse more at DEF CON. Not that I really care, I am used to hearing cursing all the time, and I myself am a product of my generation. But, I was pretty surprised because this was a conference. Usually, people don’t curse so much on stage. With a microphone. In front of thousands of people. Unless they’re a rapper or George Carlin.

(Side story, that I found hilarious: DEF CON has a program running that listens to all of the speakers talking and transcribes what they are saying automatically onto the screen. During a technical difficulty, the speaker was whispering, and the program continued to transcribe even though the audience couldn’t hear what he was saying. It even transcribes curse words. So then this other guy helping out noticed the transcriber printin gcurse words, and yelled the F word like ten times, and that was transcribed too, and the audience was cracking up)

  • There are a lot of kids there, surprisingly. Even like, little children hold their mom and dad’s hands. I was taken aback by that. Especially with all of the alcohol and cursing around.
  • One thing I didn’t experience at either conference was sexism or any negative unwanted male attention, which a lot of women talk about in other blogs. I think it doesn’t really happen at the conference that often, and it is more likely to happen at one of the after parties.   I only went to one party, but I felt totally comfortable and no one harassed me at all. I think it was the opposite actually. I felt like a lot of the guys were scared to talk to me! I was scared to talk to them too, so I stayed clustered in my friend group talking to one of the only girls at the party. It was freshmen year of college all over again.

 

The Drinking Culture of InfoSec

One thing I want to touch upon in this post is the drinking culture in the Information Security industry. There have been two related blog posts on this topic that were published a little more than a year ago, and I think that this is an important dialogue that should take place. I am not a big drinker, I am 21 years old and I only had one very nice glass of wine while out to dinner one night in Las Vegas. I didn’t feel pressured to drink while I was there, mostly because I’ve never really felt an overwhelming amount of peer pressure to drink a lot in high school or in college, so while at the conferences it was pretty easy to decline.   If you do like to drink, you will get your money’s worth during the Black Hat happy hour.

http://www.room362.com/blog/2014/05/26/go-home-infosec-youre-drunk/

http://blog.no.id.au/2014/05/infosec-and-drinking.html

There are very different rules for alcohol in Las Vegas, especially concerning open containers and when or where alcohol is appropriate (all the time, everywhere and the information security culture is no stranger to alcohol.) The business hall did not have much business going on once 5 o’clock came around. I observed that some people had way too much to drink; some that were attendees and some that were business representatives. I also attended the Pwnie awards at Black Hat, which are, for anyone who doesn’t know, a mixture of laud for the best hackers and shame for those who are the most severely hacked.   The “awards” were pretty funny, but they were also a hot mess. I think they are supposed to be that way though. And the awkward drunk dancing by the presenters on stage was ….. indeed awkward.

 

Takeaways

At both conferences I’d like to see more live demos. The coolest live demo I would have seen got canceled (it was an industrial control system attack), and the Jeep videos of the hack were cool enough, but I totally wish they could have somehow set up remote driving in the auditorium. Maybe I have too high expectations, but I think everyone could up the wow factor in their demonstrations.

I definitely recommend attending the conferences to everyone, male or female. It is a really cool experience, and the positive feeling outweighs any negative feeling.  I learned so much from these conferences, I learned things I need to know for jobs interviews, for school, I made connections, and I had a lot of fun.  If something makes you uncomfortable, that can be good! Lean into discomfort, it is how you grow as a person.vegas1