My first DEFCON

Posted by

Although I certainly consider myself to be a cybersecurity professional, I’ve been too focused on the Digital Forensics & Incident Response (DFIR) side of cybersecurity to fully appreciate the hacking world. DEFCON is certainly a hacking conference and if you are expecting to next-level in forensics or malware analysis it’s probably not the best conference for you. I downloaded the iOS app early to review talks, but after seeing the conference book and android app (looking over someone else’s phone) I realized that MANY of the talks weren’t on the iOS version, so I wasn’t able to plan ahead like I wanted. Additionally, I was hoping to just walk into workshops and get hands-on, but I quickly saw that they were “full classes” so I wasn’t able to attend.

If you are open to being delighted by passionate people, interesting outfits, cutting edge exploits, and new research-findings it’s an amazing conference! The badge is awesome and the energy is contagious, I’m just completely overwhelmed by all the things you could learn here.

In full-disclosure this conference was 100% at my personal expense and was blended together with celebrating my wedding anniversary, so full DEFCON immersion wasn’t really possible or incentivized (haha). I definitely plan to attend again and dive in with my configured laptop to pull off the famously long hours (see 3-2-1 slides below) people invest in the challenges/workshops/etc.

To my enjoyment, this DEFCON featured the first-ever Blue Team Village, so hanging out in that area was great (minus the horrible lack of seating). I particularly enjoyed the “Cloud Security Myths” and the “Subversion and Espionage Directed against You (SAEDY)” talks as they were packed with content and helped me appreciate the nuances between cloud service providers (CSPs) and the scope of espionage in corporate environments.

Additionally, I really enjoyed the “For the Love of Money: Finding and exploiting vulnerabilities in mobile point of sales systems” talk with a clear takeaway that mag-stripe technology is completely deprecated and vulnerable, seeing the attacks in action really cranks up my paranoia around swipe-only transactions.  The speakers provided  live demonstrations of new vulnerabilities that allow you to MitM (Man in the Middle) transactions, send arbitrary code via Bluetooth and mobile application, and modify payment values for mag-stripe transactions.

I’m writing this post from my hotel room at Bally’s Las Vegas and still feel connected because they stream the talks to your hotel room (this was awesome)! I really enjoy that part, additionally I kept a pulse on various twitter and news feeds which focused on the election-related hacking and car hacking which I didn’t get to experience, but I know those were hot topics during DEFCON.

Watching talks from my hotel room!

In summary,  the $300 or so for DEFCON is totally worth it! My biggest regret is not signing up for workshops in-advance and lining-up early for my favorite talks, because the good talks are absolutely chaos (lines of 200 people), despite the goon’s (DEFCON support staff) best-effort to keep things moving smoothly.

Leave a Reply

Your email address will not be published. Required fields are marked *