Unlocking the Excitement of Defcon: An Insider's Guide to the World's Largest Security Conference

Speaker 1: 0:00

How's it going, everyone? This is another security unfiltered mentorship episode. So I know last week I did not post a mentorship episode. I apologize. I completely lost track of my days. I actually woke up Thursday thinking that it was Wednesday, like 100% certain that it was Wednesday, and I didn't realize that it was Thursday until noon. So that's how my week went. It's just been like that ever since. I've had all these life changing events and whatnot.

Speaker 1: 0:37

But here we are, right, the week of DEF CON. So I'm actually extremely excited for DEF CON. I'm really excited to get to meet some of the people that I've been talking to on the podcast, meet them in person, a lot of them for the first time. You know that's going to be fantastic. I love, you know, meeting new people, exposing new people to my podcast and whatnot. So that'll be fantastic, you know.

Speaker 1: 1:07

Just a quick note, right, I will be walking around DEF CON with security unfiltered shirts, only for myself. I'm not selling the shirts right now or giving away or anything like that right now, but I will be giving away stickers and so if you find me at DEF CON and you ask me for a sticker, I will absolutely give you a sticker. They're not being sold anywhere else. So it's not like you can go to my website and buy them or anything like that. That doesn't exist right now. It probably will in the future, but you know, right now at least, I can give you a sticker. You know who doesn't love stickers? Right, like I love putting stickers on my desktop case and everything like that. Right, like, I don't put anything on my laptop but I do like putting it on my desktop case.

Speaker 1: 1:58

So this week's episode, you know, I felt it would only be right or fitting that that we would talk about DEF CON 101, right, because this is a giant conference. This is probably the biggest security conference in the world, which is it's almost hard to believe, but it really is right. So you know, if you look at the different conferences in the world, right, we have RSA, we have Black Hat, we have DEF CON, we have a huge amount of regional conferences or meetings with OWASP and you know Burbsack and all these other. You know ThoughtCon and whatnot. Def CON, in my opinion, is the biggest security conference. Rsa is the biggest vendor security conference, right, but DEF CON is where you know you actually talk to the experts, not necessarily from you know Rapid 7 or from, you know, crowdstrike or these big name companies.

Speaker 1: 3:02

These people are here talking to you about how they took over a vehicle on the highway, right. How they took over an airplane, how they took over, you know, whatever it might be right Some biometric scanner. It's some really interesting stuff, right? I went to a talk one year that this guy talked about how he created an AI model, put it onto a Raspberry Pi and was able to crack a safe and what would normally take something you know, he had the numbers around it, right Like what it would normally take, you know, a normal person to be able to crack this safe. It took this AI model something like two minutes, two or three minutes to actually crack the safe, which was really awesome. It was really interesting. It was really cool, right?

Speaker 1: 4:01

So you're going to be getting talks like that. That's what people go to DEF CON for, and it's really important for you to understand that this actually isn't a vendor pitching event, like a lot of other security conferences are. This is more of experts that are in the weeds, getting together, geeking out, having a good time, right, staying safe or as safe as you can in Vegas, right. It's just about that, you know. So the first place that I wanna start is actually LionCon, right? So if you've ever been to Vegas or a security conference before, you know about LionCon. Lioncon is when you're waiting in line getting your badge, waiting in line to get into one of the talks or something like that, right, and you're just, you're hanging out with other people, right, that are there that are in the same space as you.

Speaker 1: 5:00

You know, the first year that I went to it I had just gotten into security, so I didn't really have a specialty, I really didn't know very much. I mean, even today, you know, I feel like I don't know that much, but back then I knew way less than I do now, right, and so you know, when I was in line actually, you know, going to get my ticket for DEF CON or my pass for DEF CON I met someone that has a career as a bug bounty hunter. You know that was something that you kind of hear about people doing and whatnot, but actually experiencing it and meeting someone that's like, yeah, I work for about four months a year just getting bugs and doing the bounties, and you know, the other months of the year I travel, I take off, I do whatever I want. Sometimes I'll do a consulting gig here and there for a little bit of cash. But you know those first four months when I'm pumping out these vulnerabilities and these zero days and whatnot, like, it's just it's money coming in.

Speaker 1: 6:10

I'm working for four months straight and then I, you know, go travel the world and that was really interesting, right, I didn't know that that was even a thing. You kind of hear about it every once in a while that like, hey, that's a possibility, right, that's a road that you can go down, but it's not something that you actually think is going to happen or is possible, right. But then here this normal looking guy is right in front of me talking about it because he does it. Right, I met another person that reverse engineer malware, right? I mean, how often do you get to talk to these people outside of a podcast or hearing it on my podcast or another person's podcast, right? How often do you get to actually hear about these people, meet them, talk to them? It's very few, very few times do you actually get to.

Speaker 1: 7:08

So you know when you're in line, you know, feel welcome, I feel like to talk to people you know, to introduce yourself, to get to know other people to potentially even exchange information on a creepy way, right? I feel like it is a great opportunity for really everyone, at all levels of their career, to network with other people. You know, you never know where a relationship or just knowing someone will take you. You know, if you wanna work at Google or AWS or Microsoft, right, any of the big tech companies right, if you know someone at that company, you are going to get pushed through the process a little bit quicker. It's gonna be a little bit easier for you, right? If you know you know any, if you have an insider at any company, it's going to be a much easier process for you regardless, right? So networking is actually key and maybe you just network a person you know and you end up being friends, right? You meet up at all the different security conferences. Maybe you get drinks here and there, right, but it's a great place to be.

Speaker 1: 8:24

I always enjoy LyonCon. Now, one mistake that I do see new people making a lot is that they wake up way too late on Thursday, which is, you know, the very first day of Defcon. They wake up way too late and they don't get their badge. They get a paper badge. You know, every year Defcon manages to run out of their actual badge that they that they give to people, right, and it's first come, first serve. So you know, if you did your pre registration online and you already have your ticket, you still need to go to LyonCon, wait in line and pick up your actual badge. Now, the line is actually always moving, but you're literally going to walk for about a mile, maybe two miles, honestly, because the line is just that long and they, you know, they snake it around through, you know, the resort there, like I think it's in Caesar's Palace, right, and they snake it around through these giant conference rooms, ballrooms, whatever they're called, and, yeah, you know, like they snake it around. You're gonna be walking for a while and but the line is always moving.

Speaker 1: 9:45

I have found and there's typically like beach balls being tossed around and hit around and everything, and so that it's a lot of fun, you know. But make sure, if you're going to, if you're gonna wake up early any day during this conference, make sure it's Thursday. You know there's, there's just no other way to put it. If you're getting in Thursday, I'm sorry, maybe you don't care about the badge or something like that. Me personally, I really like the badge. You know I have a whole bunch of Def Con badges and thought con badges that I've been to and that I obtained, you know, over the years, and whatnot I I always like it. There's typically a puzzle with it, you know, so you can hack it and it's like a game or whatever and you can, you know, go through it. You know that way, right, it's, it's giving you something to do, something to, you know, kind of show for your trip, right, you know?

Speaker 1: 10:49

Another thing that I see a lot of right is that people kind of get overwhelmed with the amount of tracks, what they should go go down and do and everything like that, right? So, one, you know, when you're gonna go to a talk, try and get in line early. Try and be in line 15-20 minutes earlier before when that time actually starts, okay, the reason being is that these lines they build up quick and when the room runs out of seats to fill, they close the doors and you're not allowed in, which sucks, you know, because you may have really wanted to go to, you know, see, I don't know designing RFID implants and how flipping the bird opens doors for people for me, right, you may want to go see that one, right. But if you're not there early enough to get in line to actually get in and get a seat, you're not going to see it. And then it's frustrating, right, because then you just wasted all that time walking there. You wasted all the time potentially waiting in line. You know everything else right, and so it's better to just be early and wait in line and hang out.

Speaker 1: 12:10

You know, do some more line con stuff, you know, talk to people, whatnot, then it is to be late to these talks. Now you know one thing that I want to bring up, right, there's different tracks. There's track one, two, three, four, I think there's even a fifth one or something like that. Or maybe the fifth one is just, you know something, what they call like war stories or something like that, right, but the tracks, you know it's not something that you have to. Once you start track one, you have to follow it through. For all of track one, you can jump around. It's really it's just separating where those talks are, right.

Speaker 1: 12:55

So DEF CON, like I said before, it's like the biggest, it's probably the biggest security conference in the world, and so they will have a track in. You know Caesar's Palace, for instance, right, I don't know where the tracks are right now, obviously I'm not in Vegas yet, but you know they will have a track that goes through, you know, say, caesar's Palace, and then they'll have another one in the Flamingo or wherever right, whatever the resorts are that they're holding the conference in, they'll have different tracks in those locations. Now, you know it is Vegas, right, so you got to plan accordingly. It could take you 15, 20 minutes to get to Caesar's Palace. If you're in the link, you know you have to go outside. You have to go up the stairs over the, over the street there and then go inside and find your way right, which, if you've never been to Vegas before, if you've never gone through those resorts before these resorts are gigantic, I mean you can get lost in them. You could spend an entire day in them and not, you know, not even be bored, right? There's a million things that you can do.

Speaker 1: 14:04

But, you know, when you get the chance, look at, look at the tracks, look at the different talks, make a list, see what you want to do, and I would recommend going to one to two talks a day. You know, really, one to two talks a day is really where you want to be at. You know, I've tried to do more and, to be quite honest, you just get exhausted, you just get destroyed at the end of the day. And what's more important about this this time together, right, as as hackers, as being a part of the security community what's more important, in my opinion at least, is the experience. It's the villages, it's the parties, it's the meeting, the people talking about things that you're mutually interested in.

Speaker 1: 14:53

Because, you know, think about it, right, how many times are you able to actually talk with like minded people in person, mind you, that maybe have a similar specialty as you or work in the same industry as you, but they have a totally different specialty? You know, when else are you going to actually, you know, talk to, talk to? You know these, these different people that are reverse engineering malware, right, I mean, I don't know anything about reverse engineering malware or anything like that, but it's really interesting, right, I don't have a single lick of a skill in that, but it's super interesting to me and I would love to learn more, you know. So pick one or two talks a day to go to. You know, typically Sunday is kind of a wash day, sundays, like when everyone is leaving for the airport and whatnot. So plan your talks accordingly. Plan for Thursday, friday and Saturday to be your key talks that you know you're going to want to do everything in. You know, and don't feel bad if you're taking notes, don't feel bad if you don't understand it in these talks, trust me, all right, like 95% of the people in the room, no matter how big that room is, probably 95% of the people in that room are having trouble, at different points in time in that talk or throughout the entire thing, of understanding what's going on. You know, I'll give you an example, right?

Speaker 1: 16:30

So I went a couple years ago several years ago at this point, with a good friend of mine. We worked at the same company, we worked on the same team. He had a totally different skill set than me, but we worked on similar technologies, right. And so we decided to go to this talk that was talking about reverse engineering, secured memory and Intel CPUs, right. So the title, right there, was extremely interesting. It wasn't that title, but that's what they were talking about. The title was very interesting, the description seemed really interesting. Nothing else at that time really piqued my interest. And so, you know, we went to this talk, right, and I think maybe five minutes in this guy completely lost us, right? We had no clue what he was even talking about after five minutes and we stayed there and we both took notes. We took notes on things that we didn't even understand, what he was saying or anything like that.

Speaker 1: 17:38

You know, because when you're passionate about learning this stuff, you should, at the minimum, take notes and review them and maybe look things up. You know you should be writing down things that you want to look up later on all this stuff, right, because you should be going there and hearing about, like you know, war shopping, right, and hearing about how they're doing. You know hardware, reverse engineering, right, and you should be taking notes and maybe that's something that you're very interested in you're very passionate about, right? Maybe it's a hobby of yours, or maybe it could be a hobby of yours and you're taking those notes to. You know, look things up down the line, right? So don't feel bad if you're taking notes or if you don't understand, because 95% of the people in that room do not understand what's going on and most of the people in the room probably about 50%, are probably taking notes. They're taking notes some way, right, like I've always seen it. I've always seen people, you know, on tablets, laptops, whatever might be their phone, that are taking notes, all right, and you know, for people you know that are the first time going to DEFCON, there's also a DEFCON 101 track, right. So that is designed to actually walk you through what I'm walking you through right now. It probably does a better job of it, to be quite honest, right, but you know, it's something that you should definitely explore. I think it's only for the first day, right. So it's something to keep an eye out for if you want to go ahead and, you know, learn more about DEFCON and how to navigate it and things like that. So you know, one thing to keep in mind, right, is, if you don't get to a talk, if you aren't able to, you know, go somewhere for a talk or make it right, don't worry about it.

Speaker 1: 19:37

All of the talks at DEFCON are recorded. The only thing that isn't recorded is the villages, which, to be quite honest, I have heard nonstop good things about the villages. I haven't spent that much time in the villages, to be honest, but you know, all of the talks are recorded. So if you missed something, just wait until October. It's going to be on YouTube, it'll be fine.

Speaker 1: 20:01

Now, the villages is actually where you're going to be getting the hands-on experience, right. So you're going to be talking about, you know, things like biohacking, things like social engineering, vehicle hacking. They're going to be talking about, you know, bypassing. You know just about everything in the world, right, like voting machine hacking. I mean, you name it like they're going to be talking about it in those villages and you actually get hands-on experience with doing it. You know, one of the things that you know I always found entertaining, right, was at DEFCON. They always had kids. You know, kids have like a separate track or whatever that they can go down, but they always had kids hacking these voting machines, right? So it just makes you wonder, like if these voting machines are so easy to hack, then how can it not be hacked in other scenarios, right? So just something to think of, right, something for me to think of. That's how I think of it, you know.

Speaker 1: 21:07

Next, we also have the parties, you know. So there's always after-hours parties. There's always happy hours going on like non-stop. You know, it could be vendor or sponsored led. It could be official DEFCON parties, it could be parties from. You know random people that want to put it on, or organizations and groups and whatnot, right? A lot of them are invite only, so you have to be invited to them, you have to maybe know someone or whatnot. And that's where your networking comes into play, right? That's when you actually get to learn where the parties are and you know what they are, how they are, what, to experience all that good stuff. So just something to keep in mind. If that's, you know, not your scene, you know from what I understand, right, like it's not like a normal, you know party or anything like that. It's a bit more professional, but you know it's still a good time You're in Vegas.

Speaker 1: 22:03

You have to enjoy yourself, you know. So let's go ahead and talk about some best practices. So I get asked this question a lot, a whole lot, and it is should I bring my cell phone with? Should I bring my laptop with? Should I bring my tablet with? Right? All these different things. And you know it's a complicated question, right.

Speaker 1: 22:31

So there's actually signs when you're entering the DEF CON conference saying you know you are at risk of being hacked If you go beyond this. Your own personal security is your own responsibility from this point on. You know you can get hacked at any point in time via any method that someone sees fit right, and so it is absolutely recommended, it's almost mandatory, that you do not bring your work laptop with you, because that just opens your company up to a you know, an attack landscape or an attack framework right that they are not prepared for, that. They're not expected expecting, you know, and so you should not bring your work laptop or work phone or work anything when you're at this conference For your personal devices like cell phones, your laptop, your you know tablet, your watch right, watches nowadays. This is how I do it If you're at the conference, if you're at any of those resorts, you should disable Wi-Fi and Bluetooth like 100%.

Speaker 1: 23:46

You should just disable Wi-Fi and Bluetooth when you need to use it. You should be using a VPN. So like, let's say, you need to, for some reason, turn on Wi-Fi. As soon as you turn on Wi-Fi, you should be using a VPN for whatever you're doing, right, whenever I'm there, I'm not using any ATMs, because the ATMs can be bugged and they could be pulling your credit card information from there, like this is a legit thing. You know people do go to these conferences. Some of them are ethical hackers and they'll just take your information and see what they can do with it. Right, and you know they won't take all the money out of your bank account. There's other people there that will take that information and attempt to take all the money out of your bank account, for example.

Speaker 1: 24:31

So when you're there, if you plan on spending cash on something you know like I don't know if you have cash budgeted for gambling or whatever, it might be right, it is Vegas. Use your imagination. You should be bringing that cash with you on the flight. You should not be going to Vegas and expecting to go to the ATM at the Bellagio or Caesars Palace or Venetian and use their ATM. You'll be able to use it, but you're really opening yourself up here and you know if you're going to use an ATM, go to a bank branch off the strip and actually use it there. You know that's really the best way for you to do it, which is very inconvenient, but that's how it is.

Speaker 1: 25:21

During this conference, another thing that we should talk about is fair day sleeves. Right, fair day bags, fair day sleeves. I was actually going to get some of those products. I just, you know, kind of forgot and slipped my mind and whatnot, right, but yeah, those are absolutely a good idea. If you want to have your laptop on you and you don't want to be, you know, constantly bombarded with different attacks and whatnot. You know, put your laptop in a fair day sleeve or a fair day bag. Blocks all connections and then when you want to take notes or something, you can pull it out, take the notes, put it away. You know something like that. But you know again, you know you need to be disabling Bluetooth and Wi-Fi. That's just how it is. In my opinion.

Speaker 1: 26:11

We can talk about the best places to stay, at least in my opinion. You know, for me personally, I love staying at the link, because they redid all of their rooms in their casino a couple of years ago. It's actually really nice. They're very reasonably priced and for Defcon you're in the perfect location on the strip. I mean the perfect location, especially for the price. You're not going to beat it. You are right in the heart of the conference, pretty much. You're right by Harrow's, flamingo, venetian. You're right by Caesar's Palace, bellagio, planet Hollywood is not too far away, but it is still a hike and you're in the middle of the desert. You know it's going to be like 125 degrees at this conference, so you need to be dressing appropriately, you know.

Speaker 1: 26:59

That's another thing that someone asked me is like well, what do you wear? You know, look, this is a, this is Defcon. This is a bunch of hackers. You're not there to impress anyone. Wear a t-shirt, some shorts. If you go to a nice dinner, like I do, I do one nice dinner with some close friends of mine, right, we bring one pair of pants. We bring one nice pair of shoes and a button down, slash, collared shirt, you know something like that. But that is literally that one night. The other 99% of the time that I'm there, I'm in shorts, a t-shirt, gym shoes. I got a hat on. You know, because I'm bald, I don't want to. I don't want to get burned on top of my head. That would really suck. But yeah, you know, plan accordingly for that, you know.

Speaker 1: 27:48

Another thing is identifying what food places you actually want to go to. You know it is Vegas, right? So they have just about everything on the strip that you can possibly imagine, and the buffets at Bellagio, venetian and Caesars Palace are absolutely amazing. I mean, there are some of the best buffets in the entire world. You know I go to them. I honestly I go to them like every single day and that's not the only thing that I go to, but I just personally make that time and I do that because they are that good. I mean, they offer literally everything that you could want for food, like they have it. You know, you want sushi, you want crab legs, you want lobster, you want a steak, you want whatever it is, they have it. And so it's amazing.

Speaker 1: 28:43

Some of these places require reservations, you know. So take note of those places, make the reservations when you need to. You know, just make sure that you know you're planning out your trip accordingly. You know 90% of this trip doesn't need to be planned beyond your hotel and flight, but there's always going to be different things that if you want to do, you know you are in Vegas, that you have to book, you have to plan. So plan accordingly.

Speaker 1: 29:12

And another thing that you know I really want to talk about is don't be afraid to leave your friends or your coworkers. You know everyone approaches this conference differently. You know I was talking to a good friend of mine and he went to Def Con last year. He went there with his boss, and his boss is not someone that is going to be drinking a bunch. He's not going to go to the bar, he's not going to be gambling that much, he's not going to go to any parties. He's going to go to the talks and then back to his hotel room. That's cool, that's on him. That's what he wants to do for his conference, right. But for me, I want to go to a couple of talks, I want to go gamble, I want to have some drinks throughout the entire day, I want to eat at the nice restaurants, I want to go to the parties and the clubs. I want to do all of it, you know. So don't be afraid to leave the people that may not want to do that stuff. Leave them behind. That's okay. That's 100% okay. That's 100% expected.

Speaker 1: 30:15

In my opinion, if you're not an adult enough to be able to go out on your own and experience life on your own, on your own terms, then we have other things that need to be talked about. And one more thing Before I let you guys go Right, if your company is sending you to Defcon, if they are paying for you to go to Defcon, you should be prepared when you come back with a presentation, a couple slides, talking about what you experienced, what you learned there, the areas that could actually impact you know, how you guys do security at your company and potentially some areas that you could improve upon. You know, really, keep it simple, keep it brief. You know it doesn't have to be extravagant or anything like that, but you know, nine times out of 10 companies that send their employees to these conferences, they want to make sure that they're learning, that they're actually getting value from this conference, that they're not just going there and partying even though that's like 50% of what you do, because it's Vegas, right, but they want to know that they're getting value out of it, you know, and so just keep that in mind as you go through your conference. You know, maybe take notes along the way, right, like, oh, I saw this talk. It was really interesting. Here's a couple bullet points about it. I saw this other thing was really interesting. This, maybe, is what we can do, or what we can change internally to be better at security and be better overall.

Speaker 1: 31:47

All right, guys. Well, that's all that I have for you. Again, you know, if you see me in Vegas, go ahead and ask for a sticker. If I have them, I will give them to you and you know, as always, if you like this video, if you enjoy this podcast, please like the video, subscribe to it. If you're listening to the audio format, please subscribe to the podcast. Leave a review. That would be fantastic, fantastic. It helps me out a lot with all the different algorithms and everything. So see you guys, I'll see everyone in Vegas.