Around this time each year, I see the question of the like “what is a good plan to safely attend BSides LV / Black Hat / DEF CON?” Each year, “thousands of hackers, infosec pros, security researchers, law enforcement agents, curious newbies, reporters, and countless others” will be at “security summer camp” in Las Vegas. Add countless stories of good and bad hijinks, and you will understand why that question is asked each year. I originally wanted to write a list of dos/don’ts but it was more difficult than I thought: the list was never-ending. There are many lists of dos/don’ts at BSides LV / Black Hat / DEF CON out there. Having been to Las Vegas for DEF CON since 2006 (except for 2009), I can say three basic facts:
- Generally speaking, electronic communications in Las Vegas during the week of the security conferences are very untrustworthy and unreliable.
- Las Vegas is really hot during this time of year. 100+ degrees each day, dry heat.
- Sexual harassment is a serious problem in tech right now.
“Generally speaking, electronic communications in Las Vegas during the week of the security conferences are very untrustworthy and unreliable.”
There is a reason why people say to leave your laptop, phone, gadgets at home or don’t connect to the network at all if you want to be safe. It is no secret that the DEF CON computer network is arguably the world’s most hostile network. However, there is a big problem with not bringing devices with you for the trip: it will be hard to learn anything. BSides LV / Black Hat / DEF CON are learning experiences, that’s why they exist. Many people bring electronic devices to BSides LV / Black Hat / DEF CON –you just have to be smart on what you are doing on the devices and what is on the devices. If you bring a personal device that contains information of value (e.g., personal email, contacts, photos), bad move. If you are sending anything plaintext (e.g., anything via HTTP), then the information will be sniffed. Having worked at the Wall of Sheep at DEF CON for years, it is amazing to see many people still check email via POP or IMAP, known insecure protocols, and alas their usernames and passwords are sniffed easily. The proliferation of mobile devices has made matters worse as many devices are set to auto-connect to an open Wi-Fi network, and many apps transfer credentials in-the-clear. It is okay to bring a laptop, preferably a “secondary” one, to Las Vegas for the security conferences: just make sure it contains no personal information, it is loaded with all the tools that you need (or boot from a Kali Linux DVD or USB drive), all software is patched and up-to-date, and wipe clean the hard drive when you return home. Having a burner phone or turning off your personal phone during the conferences are good ideas.
“Las Vegas is really hot during this time of year. 100+ degrees each day, dry heat.”
Even at night it is very hot. Stay hydrated, drink plenty of water. The good news is there are water coolers throughout the conferences. It is extremely unlikely that you will be sheltered inside of your hotel for your entire trip. For many of you, it will be your first time in Las Vegas so you will be doing some sightseeing. This year will be interesting as DEF CON will be at two hotels: Bally’s and Paris. Thus, you will be required to move around, walk, and perhaps get some exercise. Therefore, it is very important that you eat well, get some sleep, shower, and wear deodorant. Please shower and wear deodorant. Bad hygiene has been a big complaint of many attendees in the past. You are asking for serious health trouble if you are drinking all day, have bad food (the Riviera anyone?), do not sleep, and do not shower.
“Sexual harassment is a serious problem in tech right now.”
Please read “DEFCON: Why conference harassment matters”. Bruce Schneier also wrote about this problem. Please also read the DEF CON Conference Code of Conduct. The information security community is very small and everyone practically knows everyone else. Don’t ruin it for others, don’t give information security and tech another black eye. Don’t do anything stupid. You will be called out, and people in information security will have no problem shaming you.
DEF CON has made a profound impact on my career and on my life, and many have said the same. This is your community and your tribe. Make the most of your experience in Las Vegas for BSides / Black Hat / DEF CON: have fun, mingle, and learn. What if this will be your first time in Las Vegas, especially for DEF CON? The DEF CON 101 talks on the Thursday and visiting the Packet Hacking Village that is run by the Wall of Sheep are great places to start. In 2014, I wrote a guide on preparing for the events at the Packet Hacking Village. The first speaker workshop will be on the Friday which I will kick off, talking the mission of the Wall of Sheep and their brief history, tools that are used, and opportunities to grow your intellectual curiosity. I hope to see many of you there.
Pyrotechnics, flamethrowers, swords, and guns are strictly prohibited at the conferences
Believe it or not, that has been asked to the DEF CON organizers in the past. You are warned.
- Advice for n00bz at DEF CON by Violet Blue
- The Practical Guide To Security At Conferences (HORNE, 2016)
- The Newbie’s ‘How To Survive Black Hat’ Guide (Dark Reading, 2016)
- Welcome to Vegas! A Primer on Attending Black Hat & DEF CON (Duo, 2015)
- 2015 Black Hat, DEF CON, BSidesLV Survival Guide (Liquidmatrix, 2015)
- The Black Hat Attendee Guide Part 1: How to Survive Black Hat (Rapid7, 2015)
- The Black Hat Attendee Guide Part 2: The Briefings (Rapid7, 2015)
- The Black Hat Attendee Guide Part 3: Networking Like A Boss (Rapid7, 2015)
- The Black Hat Attendee Guide Part 7: Your Survival Kit (Rapid7, 2015)
- Surviving the Def Con hacker conference (Engadget, 2015)
- A practical survival guide to Black Hat and DEF CON (CSO Online, 2014)
- A Black Hat, DefCon and B-Sides survival guide (Akamai, 2013)
- Getting the Most Out of DEF CON: Some Tips for First Timers (SANS, 2013)
- How to survive Black Hat and Defcon without getting hacked – maybe (NetworkWorld, 2013)
- Black Hat, DefCon and B-Sides: A survival guide (Computerworld, 2010)
- A Defcon survival guide (The Register, 2007)
- “defcon-for-n00bs” by Hacking-and-Coffee (GitHub)