DEF CON 31

After the end of the DEF CON 31: Hacker Conference 2023 | #1 Hacker Event, I started writing this «capture the event» forensics report at the Las Vegas Airport on 13/08.

Why squander the time during a return flight when the memories are still fresh?

• Was the DEF CON stressful? Mostly exhausting. For my first time in Las Vegas and my first InfoSec convention, this experience has been out of proportion.
• Had I expectations about the conference? Too much.
• Was it useful? Yes even if it left me with mixed impressions.
• Will I come back? No chance except if I do not foot the bill. Besides, nothing EDIFYING in Sin City. Best to visit the great countryside or a different state.

Let’s break it down.

Business as usual

To make the most of the event, you need to plan thoroughly and come early. It was 40 °C outside but the atmosphere inside the CON forum and hotels was adequately ventilated and cool.

The total attendance was around 30,000 hackers and the first day is known as the Linecoin. This is not a fork of Litecoin but a long line of people waiting to pay for their entries. I arrived at 7 am thinking it will be soon enough but it took two hours to pass the counter.

With so many “white, grey and black hat” hackers, pen-testers, government officials, technology industry professionals, spies, and newbies, turning off mobile Wi-Fi and Bluetooth once you step inside the Forum building is compulsory. As the saying runs: No technology that is connected to the Internet is unhackable.

You pay in cash unless you were able to pre-register online by credit card. There is no receipt for cash payment. However, you receive an impressive goodie badge with a hacker bag. It was the first time in the conference’s history that online payments were allowed. Attendees who paid online were jokingly booed by the DEF CON® “goons” (security members) when the excited crowds rushed to acquire some goodies and souvenirs.

The DEF CON follows another renowned hacking conference: Black Hat USA. Together both events make up a weekly hacker summer camp and both were founded by Jeff Moss (known as The Dark Tangent).

The DEF CON complete program is gigantic at the very least. The conference lasted from 10 to 13 August and encompassed a large array of cybersecurity topics from U.S. policy concerns to device hacking, capture the flag competitions, villages, workshops, interviews, and talks, … A dedicated app, HackerTracker, helps to navigate the number of opportunities and pick your preferred events.

The Reality

The whole participation was wickedly disorganized. Many demos and practical shows were overcrowded. Many times it was simply not possible to take part in noteworthy challenges because of the long line. At the same timeslot, you could have five to six planned events with many of them already overbooked. This happened if you had the chance to walk fast to find the correct location in time. Due to the large number of attendees, the convention had been scattered among four sites (The Caesar’s Forum and three nearby hotels vast as super freighters). In Las Vegas, the city has been designed to make visitors walk a lot to get from point A to point B. Simply so that you peek at the many slot machines and give in to other blinking temptations.

After two days, the most realistic approach to build consisted in focusing on two to three events largely separated in their schedule and not too far away from each other. A colleague of mine confirmed that it has been only on the last day that the affluence dropped enough to enjoy the conference.

Not all was spoiled, fortunately. With my friends, I managed to attend a welcome speech by the Dark Tangent, an Android hacking session (quickly executed on a 2022 general public smartphone), an ID badge hacking presentation ( through relay attacks to hack ID tokens remotely), a worldwide vulnerability research talk, a “fireside chat” between Jeff Moss and the secretary for the Department of Homeland Security, a Whitehouse review on the state of Space Cybersecurity, a pen-testing lab for wireless networks, a CISA talk over the cyber warfare situation between the U.S. and its main rivals, chess games, lock-picking breaks, IA speech (if you can attend it), Capture the flag sessions, one bug-bounty hunter’s field (partially attended), live red and blue teams introduction/demonstration (difficult to attend), collection of humorous stickers, talking with professionals, newcomers, and foreigners at relax spaces, …

One of the most memorable moments was the debate between the DHS secretary (Alejandro Mayorkas, a real politician subordinate towel boy) and Jeff. In short, the U.S. government acknowledged that it is technically impotent and needs help to address the internal U.S. divide and the competition/ conflicts with foreign powers like Russia and China. “We need your help” pleaded the DHS secretary (an attendee when on to say that it is to conduct surveillance on political opponents). Jeff quipped on the fact that a government official of such rank accepted to come in for the first time. Turn back the tides.

Final words

All in all, the motivation is strong among the hacker public, and cybersecurity opportunities are vast as well. The resources are simple to grasp for whom pursue a cyber position. Institutions, small businesses, and government departments, .. are all posting for such job openings. In spite of the messy organization, the DEF CON certainly brings value for skilled professionals or wannabe. People networking and the variety of talks positively guide attendees to the right opportunities.

Still, I did not need to take part in the DEF CON to know what to do next. The event can seem exaggerated and so security-obsessed it’s getting maddening. Also, this American way of displaying technologies is not suited for everyone. Whether or not you mind long queues and somewhat chaotic shows, you can hack your way through the event or watch video reports online:

https://www.youtube.com/user/DEFCONConference

https://www.youtube.com/@livectf/videos

https://twitter.com/defcon

For my part, I will now push to study and fulfill the OSCP certification (Offensive Security Certified Professional) that teaches penetration-testing methodologies. I am driven by the allure of intellectual challenge, curiosity, and the thrill of this new adventure. Even if I do not pass the exam, I want to be capable of successfully attacking and penetrating various live machines and providing evidence of practical penetration testing skills.

“Hackers tend to achieve greater success within organizations where employees feel undervalued, burdened with excessive workloads, and receive inadequate compensation. In such environments, it becomes less likely for individuals to pause and exercise caution before interacting with a phishing email.” James Scott