The two biggest hacker conferences in the world take place during the same week every year in Las Vegas.
Referred to as “hacker summer camp,” Black Hat USA and Def Con last week brought together hackers, information security professionals, and government agents.
This year, more than 22,000 people showed up to see talks, buy tools and t-shirts, and enjoy Sin City. They also crammed into various villages at Def Con to compete or learn things like lock-picking and safekeeping their online privacy.
Here’s what went down.
My time in Vegas started at the Black Hat USA security conference, which was held at the Mandalay Bay Convention Center.
Black Hat and Def Con are closely related, since they were both founded by Jeff Moss (aka The Dark Tangent). DC was his first conference, which began in 1993. He started Black Hat in 1997.
Attended by about 15,000 people this year, Black Hat features briefings, training, and networking opportunities for those in the information security community.
It draws a mostly professional crowd. There were plenty of 'white hat' hackers on hand, who help companies keep out the bad guys, as well as those who work for the government.
But there are plenty of worthwhile talks to check out. I especially enjoyed a talk on the cyberwar aspects of the war in Ukraine, the science behind email phishing attacks, and whether it works for hackers to USB drives for some unwitting person to pick up and plug (it does).
There was also a great talk by researchers at NCR Corporation, who revealed major vulnerabilities within the new chip credit cards, also known as EMV.
And there were hundreds of vendors there trying to hawk products to companies who worry about being hacked.
On my first day in town, that was Alice in Chains playing at the House of Blues. There were hundreds of Black Hat attendees there enjoying a free (and awesome) concert courtesy of Cylance.
The party's free booze meant a different ending than what I had in mind. The new friend I met before the concert got blackout drunk and I had to carry him around Vegas to get him back to his room. You know who you are, and you owe me.
After 3 days of Black Hat, it was time to move over to Def Con 24, a very different conference. 'Def Con is like a juggalo carnival,' one grey hat hacker told me before I went. (A 'grey hat' hacker plays both sides of the hacking world -- sometimes they help companies and people protect themselves, sometimes they cause mischief or do illegal things.)
Unlike Black Hat, there's no prior registration at Def Con. You have to just show up and get in line with $240 cash on hand. Press, vendors, and speakers go in a different line than paying attendees.
With tens of thousands of people showing up, many attendees wait for hours in line to get their badges. They even call it 'LineCon' since it's a great opportunity to get to know a fellow hacker and ask what they like to do.
The big event on Thursday night was historic. DARPA sponsored its Cyber Grand Challenge, where 7 autonomous supercomputers went head-to-head in a hacking tournament.
The computers found bugs in software without any human control, while also trying to hack their counterparts. 'If we were to talk about something like this 15 years ago, we would have been talking about science fiction,' said Visi, a hacker who was giving the play-by-play.
The winning team was ForAllSecure with its system, Mayhem. For their efforts in developing computers that find bugs faster than some humans can even open a file, they took away $2 million.
Once Def Con officially kicked off, it was a race for some to get to talks, the contest areas, villages, or -- the swag line. Some people waited for 3+ hours just for an official t-shirt, since many of the sizes would sell out in the coming days.
And most -- if they were smart -- turned off WiFi and Bluetooth, or at a minimum used a VPN while surfing the net. Otherwise they might have ended up on the 'Wall of Sheep' featuring unencrypted web traffic being sniffed in real time, such as usernames, passwords, and other info.
I attended quite a few talks while I was there, including one by Ladar Levinson, the founder of the Lavabit encrypted email service. He talked about his case -- in which the government demanded he turn over encryption keys so it could read Edward Snowden's emails. He shut down the service and fought on.
There was also some somewhat frightening research about how one could defeat Tesla's various sensors. 'Normally the car will move. However, we jam the sensor and it moves,' Chen Yan said. 'It hit me,' he added, to audience laughter.
One talk claiming to expose 'critical flaws' in airline navigational aides, radar, and the Traffic Collision Avoidance System (TCAS) was mysteriously cancelled at the last minute. The (unconfirmed) rumour going around was the government hit the speaker, Sebastian Westerhold, with a cease-and-desist. Neither Def Con or Westerhold responded to an email for comment.
(video provider='youtube' id='IMx62E4-hcM' size='xlarge' align='center')