BlackHat & DEFCON ‘22 Recount

My First Experience Enveloped in Hacker Culture

Last year I volunteered to go to BlackHat and DEFCON but unfortunately due to COVID and family medical issues, I wasn’t able to be in-good-conscious to go to Vegas. As much as I loved the idea, it wasn’t worth the risk, but this year I knew I was all in. I begged for a slot to be at our BlackHat booth and much to my surprise my leadership agreed and off to the races I was.

I didn’t really know what to expect, but from reading, listening, and watching years of BlackHat and DEFCON experiences, I prepared myself as much as I could. This was a few months ago now, but even then all the talk tracks and events at the Villages were full. This bummed me out a little, but ultimately I was driven to have a good experience, and I decided to shotgun this event on my own and make it the best I could.

Las Vegas Babyyy!

Some would say I’m a smart guy. I’m not really. I didn’t start packing until about twelve hours before my flight. Probably not the best decision I made but it’s hard prepping for a place you’ve never been, and have to be for six days (counting the travel days.) I rushed to the airport and, yes, I used my own money to upgrade to first-class. I may have never been to Vegas but I know what a three-hour flight feels like and I wasn’t about to test the water on a five-hour flight. That alone was a good decision. I had two carry-ons, my suitcase and my backpack (this was going to bite me in the ass later), got to board early, and had plenty of space to relax and settle into a long flight.

Getting there late in the evening, I discovered that I should’ve expected the immediate battering of lights, slot machines, and music. A $25 Uber later and I’m at my Hotel which is another party in itself.

Side note, if you travel a lot and don’t use TSA Precheck, I’m gonna strongly urge you to get it. Saved a ton of wait time in lines. For example, I went from Drop-Off to Shuttle in just six minutes at IAD.

Vendors Vending their Vendable Wares

BlackHat was up first. I arrived early for a booth shift and was introduced to long lines and ample crowds. It was an interesting experience, to say the least, but I had amazing conversations with a variety of individuals who all had different problems and needed different solutions to combat them.

After my shift was done, I came back to BlackHat dressed in incognito mode minus the clearly visible green shade of my booth badge. Compared to other events I’ve gone to in the past, this one was ‘swag’ lite. Not many vendors were giving away free things. I think the most popular booth was the strategically placed BlackBerry Cybersecurity booth that had print-on-demand hoodies and t-shirts that you could choose from in four designs. CrowdStrike had two giant statues that were pretty interesting. Another vendor had a snow machine for their booth that made it snow. Finally, a booth had a boxing ring, and while I don’t remember the vendor, it was an interesting sight.

I was happy to see many different takes to awe and wow individuals, as much as the swag was disappointing. I did get a plethora of stickers though, which is probably my favorite collectible.

No Party Like Sales Parties

What many might not know about the trade shows are the lengths vendors go to keep you engage even after the show floor closes. That was no different with my vendor, where we hosted two separate events, both equally interesting and fun, aside from my temporary hearing loss. We hosted an event at a speakeasy-themed bar that’s joined to an Ice-Bar where we could visit as well. The experience was great, the drinks and food were free, and I met a ton more people, including where I was first introduced to my new friend Tony, who I would go on to spend plenty of time with through the rest of the week.

Thursday Bridges the Conventions

When Thursday rolls around, the tempo shifts. People roll in from their evening conquering of the different after-hours events and their own battles with bars and casinos. It was still a good time and turnout, but there was a definitive shift in the atmosphere. Individuals come in slowly burning off the leftovers from their midnight oil and asking things more slowly. This is also where DEFCON begins. Most events happen in the afternoon and evening and are more focused on a sort of ‘pregaming’ theme. You can go pick up your badge and prepare for the weekend adventure, which is exactly what I did after my second and final shift. I grabbed my stuff and booked it to Caesar’s Forum (because I didn’t buy it through BlackHat), and met up with some of my former SOC team.

We sat in the registration ballroom for probably about thirty minutes trying to break into the badge before finally giving up after playing around with it. I’ll do a more in-depth breakdown of the DF30 Badge in another post, so stay tuned for that!

We eventually broke off, so I could have lunch with my buddy Thomas from work, experiencing my first In-N-Out forever; TLDR it was absolutely amazing and so worth it.

Finally, I dropped off all my stuff and went back out to meet with my crew again, where we chilled out at a Starbucks in the Luxor for the evening catching up. It was extraordinarily refreshing and made me happy to hear that the team was growing and former pupils have become the masters that replaced me, just as I hoped they would.

Shoutout to Kristie who became an expert at training and development in teams while Trevor is out here killing off certs like OSCP. Both of them made me super proud over the week as they talked about how they’ve evolved since I left. It’s good to know you didn’t leave a place you enjoyed working at on fire and that the team was successful after you’ve moved on; it’s a good sign that you were successful in enabling them, though not as much as they learned to stand on their own.

Defense Condition I

On Day 1 (technically 2) of DEFCON, I realized I was missing some stuff. Remember my misadventures of last-minute packing? Yeah, this is where it came back to haunt me. I had to get up early and Uber to the nearest Walmart to have to grab a laptop charging cable, a Micro-USB, and a ton of other crap that I would have had if I didn’t just violate my own rule of being prepared. It cost me a fortune and I couldn’t just grab the stuff either, I had to wait for an attendant for everything (she was super helpful and nice though, and we enjoyed the laugh of having to hop around and getting cables.)

This lead me to be a few minutes late to the opening of DEFCON, where was where I was introduced to the meme ‘Line-Con’ from the gate. I went to Caesar’s Forum first to link up with the crew and see Aerospace Village. The team they work with is in the industry and they wanted to go there first to check out what they had to offer. Of course, they found the badges and had to get one. I was too late to get one for myself, but no biggie.

While assembling the Aero badges, a gentleman by the handle @capnpwn came over and talked with us about hacking the badges and explained the process he went through to break into them. I’m going to avoid spoilers here, but his breakdown of how he got through all the challenges was amazing, and his experience of staying up all afternoon and evening Thursday with a crew of people to crack them was the stuff you expect to see out of DEFCON. He even volunteered to hack our badges for us, where he built a script that just did it in a few seconds. I appreciated the offer, but I knew it was something I needed to do on my own as a rite-of-passage sort of thing.

Next was the Car Hacking Village, where I was able to get a badge loaded with OBD-Kill. Going through the lines we were gazing upon tables embossed with stickers and swag galore, and I immediately lit up like a candle. For those that don’t know, I’m a sticker junkie. I love them and decorate all my gear with stickers. It was awesome to see the cars they had broken apart and hacked in various ways, along with explaining how OBD-Kill worked. I’m stoked to try it out on my own.

We hopped around quite a bit more, and each Village stood out for its own reason, and I think that’s the best part. You don’t really see the same thing twice, and there are experts in each Village that talk about the things that get them to tick, which I believe is one of the best parts of DEFCON.

Day 2 (technically 3) was no different, and we spent some time doing the WG-CTF, formerly known as the Crimsonthorn CTF, which was very fun. If you get enough points in the CTF, you get a flag that you can turn into someone for a badge, but unfortunately, they were already out by the time we even found out about it. Next year though, we most certainly will try to get ahold of one.

Line-Con or Walking-Con?

Don’t Be Spooked To Bring Your Personal Devices

If you asked me maybe a few years ago before DEFCON was a lot more ‘regulated', yeah sure, don’t bring your personal devices. This stemmed both from just not understanding as well as things not being as safe as they are now. Well, this year I was pretty confident in bringing my stuff. Why? One reason was their implementation of 802.1x, which they implemented via a RADIUS Server that authorizes connections as much as it authenticates those who want to connect to known-good wifi. They then have a site where you can register your own credentials to login with. Top this with a VPN to tunnel through their infrastructure, and I felt confident about my ability to not so much be a target but more so not be an easy one.

For me, I turned my Bluetooth off, kept unused devices powered down, and just enjoyed myself knowing I wasn’t sticking my neck out. There is still an unsecured wifi anyone could connect to, but I wasn’t about to be on the Wall of Sheep, not for any reason. Also, don’t text over SMS. If you’re not using something like Signal, or at bare minimum something that messages over encrypted comms (like Discord; not end-to-end but at least a secure platform), you’re probably wrong, and they catch that stuff too (yes, if you didn’t know, SMS is easy to sniff).

My TLDR; don’t be paranoid, just don’t be vulnerable.

The Best Show in Vegas!

By far the most interesting and fun part about DEFCON was the Social Engineering Village. This place is notorious for the Vishing Competition. I was honored by witnessing a Perfect 10-10-10 Score from the Judges this year after an amazing display of social engineering by one of the three-person groups. They were able to work their way around impromptu circumstances and wiggle their way through flags, which centered around gaining information on their IT systems, their work-from-home situations, and on-site security.

The most important part is you really don’t talk about specifics in the room, and most certainly there is no video or audio recording allowed by the audience, so I’ll leave it at that, but I highly recommend it as part of your rounds if you ever attend!

It’s Better if You Plan

One thing I regret was not planning enough. We did this as sort of a ‘just run around and see cool things.’ By the time we needed to register for events or talk tracks, it was far too late and everything was sold out. So I HIGHLY recommend you book and plan early, and pay attention to the DEFCON forums that keep things fresh when there are updates and registration opens up. Otherwise, you’ll find yourself just browsing about, which most certainly is not a bad thing, but if you’re looking for more participation and less perusing, you have to do it this way.

In God We Trust: All Others Pay Cash

This is another vital to note: If you didn’t bring cash, you’re screwed. ATMs charge insane fees in Vegas, so if you don’t come ready, you’re gonna be losing more money than you wanted and it won’t even be at the table. Everything in DEFCON accepts cash, but very few accept cards, and usually, you get up-charged if you purchase with a card. Just do yourself a favor. Get a nice bill-fold, cash out a few hundred (I ended up spending a lot more) while you’re at home, and enjoy yourself at the various locations to buy things. What can you buy? Here’s a sample:

• Merch like T-Shirts, Jackets, Flags, Stickers, Etc

• Custom Badges from the Villages

• Hacking Tools; Hardware and Software

The list goes on, plus this money can double as being useful if you wanna gamble.

Final Thoughts

I most certainly will be returning to both BlackHat and DEFCON as long as I can volunteer for them. If not, I will shuffle out my own money to go to DEFCON at least thereafter, because I don’t think I’ve ever felt such a strong relationship with a con and the people there; being immersed in a culture I’ve spent over a decade building a career out of. It truly was something else, and I look forward to experiencing it again!

If you’re looking for ways to get there yourself but can’t afford it, I heavily encourage you to reach out to your leadership to see if they’ll sponsor you to go. They’ll either give you a lump sum or let you expense some or all of the trip so it is more feasible for you. In my opinion, every analyst from Junior to Senior should be going to DEFCON at least, and seniors and up should be going to both BlackHat and DEFCON. The sheer mountain of knowledge, networking, and exposure to technologies and education is worth the expenses a company can incur for traveling our professionals out there to see it.

If you want more information on how to register for DEFCON, check out their website here!

See you all next year!