For years I’ve been wanting to dive into cybersecurity, and what better way to get started than immersing myself in DEF CON?
Although Black Hat is known as a major information security industry event, the DEF CON conference held afterward is known for its size (over 20,000 people), its hacking free-for-all (entry badges are bought with $280 cash, and teams look for new hacking techniques on its network), and the subversive culture (sessions on microdosing, police body cams, and biotech implants). The event was so packed with events that I spent all of my time between breakfast and dinner jumping between sessions at the two hotels.
Here’s what worked and didn’t:
Everybody and their grandparents have asked me about hacking voting machines. Stories on last year’s hacks started popping up again about a month ago, and then this year there were some updates, some reorganization, and a lot more visits by the press and Homeland Security.
Election officials' concerns turn to information warfare as hackers gather in Vegas
As hackers sit down to break into dozens of voting machines here in Las Vegas this weekend, some state and local…
I have no experience plugging into devices and hacking around on them, so I listened to a talk by Homeland Security and then did a brief walkthrough of the village. This year there was an initiative for kids to hack on mock election websites, which is a positive step for turning this into a teaching moment. For the most part, though, it felt like an annual meetup of voting machine hackers and not a gateway to outsiders learning about voting machine tech.
There’s an interesting, shifting standard where the Homeland Security speaker assured us that it would be too difficult to hack voting machines at scale, without being detected. That’s still concerning, hacking and disrupting an election!
They also expressed a fear (which I read previously in 2016 elections) that the AP and other unofficial results tallies might be the weakest point which could be manipulated to raise doubts over the final tally.
Crypto & Privacy
I was at DEF CON in part to deliver a talk at the Crypto & Privacy Village. As I explained to hotel reception, I’m not a hacker, but my topic was interesting to the hackers, and I could learn some things along the way.
Other than my own talk, I enjoyed talks on the Cicada puzzles (from a solver who had learned a lot along the way) and Post-Quantum Encryption (from Microsoft Research).
Official sessions (including DEF CON 101)
The official sessions had huge rooms and covered all things information-security and policy: police, smart cities, “Big Brother”. There were also some clever examples of X-rays for reverse engineering, a “ThinSIM” sleeve around a SIM card, and counter-Blue Team ideas.
It wasn’t clear to me why the ‘101’ sessions were organized into one track and why it was then titled ‘101’. I saw great sessions there that did not come across as an introductory topic or lecture, including on the first day.
CAAD / GeekPwn
This room had interesting talks around Adversarial Machine Learning and other methods of fooling AI systems, for example making an autonomous car think a stop sign is a tree. It’s easier and more bizarre than you might think… early this year researchers developed a sticker which makes Google think anything is a toaster:
A Simple Sticker Tricked Neural Networks Into Classifying Anything as a Toaster
Image recognition technology may be sophisticated, but it is also easily duped. Researchers have fooled algorithms into…
There is a lot to say about how these systems are built and defended against, and whether they are dangerous or not, and that gave the village a lot of material. Some talks were more academic or farfetched, but that might come with the territory.
This is the village where I thought ‘I want to try to speak here next year’.
As an outsider it was difficult to get a read on the goals of CAAD/GeekPwn at DEF CON. Also they never got their schedule into Hacker Tracker or the Outel page, so I had to check on their talks separately.
I might not be becoming a cyborg anytime soon, but I was interested in two back-to-back talks here. The first one inspired me to look up some post-CRISPR ideas which are talking about writing DNA code to a cell, or protecting the human genome from viruses inserting themselves.
The second one involved GIS data, which I liked, but for a Bio Hacking talk it was misleading, because the speaker hadn’t started to look into health applications. At one point the speaker showed a wind simulation with buildings, and at another point suggested that data from autonomous vehicles should be collected and used to monitor animal behavior.
Blue Team, Ethics, Recon, Packet Hacking
I made a visit to each of these, and the talks which I sat in seemed academic or antiseptic. I hate to paint with a negative brush, but topics which I thought would be open-ended and relevant to me started with a discussion of “what’s the difference between BasicConceptA and BasicConceptB?” or a set of curated Tweets about setting up a security team. Maybe I wasn’t the right audience for this.
I never even got in line for Sky Talks! How long do you have to wait? I initially wanted to drop in on 3+ talks, but it seems like you get in line and see what you see.
In retrospect, the line here is longest because it’s one of the few sessions where none of it can be recorded. You either see it here or you miss it. Theoretically you could come here and watch all of the other talks later.
With one other exception…
Last but definitely not least, Social Engineering. In the mornings there is a contest where ‘social engineers’ call companies (live, in front of the audience) and talk employees into giving away technical details. This is something which I heard about many years ago and finally saw In Real Life. There was one guy who asked “first you should tell me what an IP address is” and moments later dutifully read it off of a sticker.
It was a strange spectator event. Watching a feed from the phone booth, on one level it felt like I was watching a weird YouTube video, but knowing it was happening live and that we could hear the unsuspecting people felt uncomfortable. There are a lot of people in the world whose job depends on answering random questions from their bosses on the phone. They need social engineering audits and protocols the most, but I’m not sure they need to be the entertainment for a hacker audience.
This year there was also a ‘human track’ of late afternoon and evening talks. On Friday I was here until 8pm, listening to fascinating stories.
Talks I would want to hear at future DEF CONs
Blue Team: what is a Blue Team, how do you know if you need a Blue Team, what are those basic everyday tools which Blue Team people need to know (preferably open source)
Ethics: costs and demands of technology in the developing world, ethics and risks of programs to circumvent Chinese censorship, how are we using people to build up AI knowledge, a section about the book “Algorithms of Oppression”
Voting Village: “Here’s how I approach hacking a new voting machine”, “Yeah we can hack these voting machines, what do we plan on doing about it?”, “If you did voting by blockchain, here’s what you would do”.