Notes from DEF CON 30

For background: DEF CON is a long-running cybersecurity conference held in Las Vegas. Recently it takes place the same week as Black Hat, another Vegas-based security conference, but DEF CON remains known for an independent / hacker vibe. Famously they only accept cash at the door for the event badge, to protect privacy and avoid getting hacked themselves. In addition to the main talks, there are volunteer-run ‘villages’ which apply for a spot at the event and then host their own talks.
This year I gave a talk in the ‘AI Village’ about my side project in code generation models.

• When someone asks what I saw at DEF CON, I always mention the Social Engineering Community ( www.se.community ). I would never believe what information people would give away to a stranger if not seeing it happen live. This was the first year with the reorganized group, and they kept it fun. One of the competitors wrote a post about his experience.
• This was also the first year for the Quantum Village. As someone who has followed quantum computing and post-quantum cryptography on and off over the years, I think anyone could sit down and get plugged into the latest developments (e.g. benefits of different algorithms and NIST approval) by sitting down for these talks. This slide says a lot and I took it home for future reference:

• DEFCONPolicy (policy village? policy department?) had another great year engaging with government around right-to-repair and understanding technology. They brought some former Congressional staffers on stage to talk about their experience. The team seems eager to get help and to mend the longtime clashing between hackers and government.
• Misinformation Village had some talks about collecting information and identifying coordinated campaigns. This seemed mostly oriented at OS Intel / basically scraping and collecting social media info rather than from anyone working inside of Twitter or Meta. Also weirdly they did not have any talks on Sunday.
• Great talk on the latest in Tor and Russia; I later installed Tor Snowflake on my personal computer (it makes you into a Tor middle node in the Snowflake network, which disguises traffic as WebRTC calls). It seems like the info war involves Tor and opponents sending new bridges out to their channels, and distrusting newly-created accounts.
• I only saw one talk at the BioHacking village and it was about brain data. Luckily it didn’t seem that this deep brain stimulation device had been hacked. Because a patient arrived at a different hospital from where it was installed, it was difficult to identify the device, read its error message, and resolve the problem (it reset instead of following the patient-specific settings). Also the effects of a malfunctioning device are similar to worsening of the original condition, so it might be missed.
• CSRF talk — I work on a web team so this was the most relevant to my actual work. By using service workers, the speaker found browser bugs which circumvented cookie security settings. The issue has been fixed in Chrome. Interestingly, Firefox’s dev tools showed the expected security and not the demonstrated network interaction.
• Formal verification, tractors, ticket-buying bots, rooting Chromebooks — the speakers at the main stage talks were best of the best, really incredible, but I’m a long way from being able to fully understand or use their tech.

Notes on organizing:

• DEF CON required masks. People generally followed the rule, a good number of people had KF94/KN95, some people wore a bandana. On the first day I saw someone lecturing a bandana guy and someone giving a surgical mask to a cameraman (recording had to be done by the facility, so this wasn’t a DEF CON or workshop person).
• There were a limited number of badges in an online pre-sale this year, which makes it easier to get a receipt and reimburse with a company. The sale must have been very limited as they ran out before I finished booking my trip?
• Thursday — what happened? When I attended in 2018 there were only a few main-stage talks on Thursday, but overall a good day to pick up a badge, sit in on a more obscure talk about x-raying hardware, and check out Las Vegas. This year it seemed last-minute that no one scheduled any real events on Thursday.
• AI Village, Misinformation Village, Quantum Village, and one lower-key event (I think passwords?) shared one giant room. I dropped by AI Village shortly before my talk and could hear OK, but at later events you could be a few rows back and not hear anything.
  Aerospace Village had their own room, and a variety of interesting topics, but only a tiny space for speakers, where I could not hear a thing.
• CTFs — I keep thinking that I will participate in a capture-the-flag (CTF) competition one day. In the end I answered a few questions in the Quantum Village CTF, but generally fell short. It’s good that the CTFs and other village competitions are open to anyone online, and that they extend past the conference dates. Definitely it’s on me to participate more.