As I’m starting to write this, today is August 8th, 2022. I’m in my 4th week at Independent Security Evaluators as Senior Solutions Consultant and shortly after accepting the job offer, I was invited to come join the team in Las Vegas for DEFCON. This was an exciting opportunity and I was happy to come along, while not really asking any questions. I mean…it’s a trip to Vegas to go to a convention I’ve never been to before. It will be fun, right? I’m the type of person who tends to go for any good opportunity to travel for work, so it was a no brainer.
Later, my new coworker, Ronnie, asked me during a chat whether I had been to DEFCON before. I told him no and his response to me wasn’t exactly what I expected. “You’re going to have a great time! Just don’t look like a Fed.” Uh, what? Do I look like a Fed now? I wear t-shirts with Super Mario unironically. I’ve been in the private sector my whole career. I thought he was just going to tell me to bring sunscreen and drink a lot of water…
It was at that moment I sort of realized that DEFCON wasn’t going to be like some industry conference I did during my time in the MSP industry, or a video game convention, or a music festival, or any other big gathering I’ve done in the past. I’m not green when it comes to cybersecurity management, or vulnerability scanning, or compliance management, or getting the most out of a con…but this wasn’t going to be something I just look at the schedule for, gather business cards and drink some free cocktails at the evening event while chatting about new business opportunities. So, I guess that brings me to…
Since this wasn’t going to be like other conventions I had attended, I thought doing some research and preparation would be a good idea. I began by just figuring out what I wanted to get out of DEFCON.
- Learn – I’ve never been to any kind of hacking convention. I’m no luddite and I certainly have experience across many aspects of technology/cybersecurity, but looking for novel vulnerabilities and straight up breaking things isn’t something I’m personally experienced in.
- Connect – Since all of this is so new, it’s probably a good idea to use DEFCON as an opportunity to extend my network, both personally and professionally.
- Safety/Security – I would feel a lot of shame if something bad happened because of my own mistakes with security. I’ll do what it takes to avoid that.
- Fun – It’s Vegas. It’s not going to be a stuffy crowd. People are probably going to be doing some things I haven’t seen before. If I don’t have fun, I messed up.
I consulted with my oracle, Google.com, to learn what I could about the event itself. ISE is going to be running the IoT Village, as usual, where we demonstrate hacking techniques on a variety of devices along with workshops. I knew basically about what I needed to do in our space, but aside from that I wasn’t sure how my time would be best spent. Once I got my shift information at IoT Village (10 AM-2PM) I figured I would have all afternoon and evening to just discover things for myself.
Once I arrived in Chicago for my connecting flight from Baltimore, I decided it was time to start protecting myself. I disabled WiFi, NFC and other wireless communication on my phone with the exception of 5G. I didn’t want to end up on the “Wall of Shame” at DEFCON because my phone connected to some random wireless access point, or because I walked too closely to someone. Maybe I’m being paranoid, but I didn’t need that stuff so why keep it on?
Finally, I made it to Las Vegas and arrived at the Linq Hotel, which is connected to Caesar’s Forum, the venue for the event. That first night started giving me a sense of the type of people I would be chatting with. Lots of people walking around in nerdy t-shirts with memes, gaming references and a few that probably aren’t appropriate to repeat on a blog like this. If you are into people watching, I recommend coming to DEFCON. During those idle times when I was just waiting around, it was easy to get lost staring at randomness.
Thursday was mostly spent on setup. If you have ever set up a space at a convention, it was what you would expect: Dealing with getting power to our workshops, folding t-shirts to give away, putting up signs and so on. I noticed a huge line for DEFCON merch before the actual convention even started while doing my setup. The passion among those in attendance was obvious, which only made me more hyped to get the convention started.
I also got my badge that day. You can probably look it up on the web to get a sense of what it looked like, but for DEFCON 30 the badge is a DC-30 Human Sampling Keyboard. I’m actually familiar with reading music, so this was a lot of fun for me. After inserting the batteries, attaching my lanyard, putting some buttons on it to make it look cool (and to make sure I didn’t look like a Fed, as Ronnie recommended) I started playing with it. Maybe playing isn’t the best word to use…it was more like obsessing.
First, this was a little device that let me play and sample simple music. So many possibilities were there, especially for me because I know a bit about music, including reading sheet music, which turned out to be more useful than I expected. After figuring out how to play “Never Gonna Give You Up”, various tunes from Zelda, and The Doors “People are Strange, I eventually got to the fascinating part of this badge: The Challenge.
When I went into it, there were three statements that were obviously clues for a puzzle:
- Collect The Measures (I noticed Measures was misspelled, which threw me off because I wondered if that was part of the clue)
- Break The Silence
- Continue The Journey
What could this mean? My colleagues and I started looking it over. While perhaps they are more familiar with hacking devices, it turns out knowing how music works was very important. On my badge, I noticed a few specific notes in a C Major measure. These notes were G, E, D, and C. G, E, and D were quarter notes, and C was a dotted half note. For those not familiar with music, that means that C took up three beats, and the others only one. This was like “Name That Tune”. I had four notes and I played them out on the keyboard…it sounded very familiar to me. The fact that the C was a dotted half note means it was probably the end of a phrase of music, not the beginning.
Maybe now you understand why I became obsessed with this puzzle. I kept playing the 4 notes over and over again and speculated that it was the end of the song “Morning Mood” (if you aren’t familiar with the title I’m sure you have heard the song before). Of course, I didn’t know exactly what this meant at the time. But I did have a clue: “Collect the Measures”. Were the other measures the rest of the song? While my white badge had some notes on it, someone else’s orange bad had different notes.
It turns out that there are eight unique badges with eight different measures. When playing them in the right order, it was indeed “Morning Mood”. A sense of pride came over me. My instincts were correct. When played on the keyboard, the next part of the challenge was unlocked. On the screen of the badge, it showed my badge number, as well as more clues. It said to “Call Jenny”, except Jenny was displayed in a mirrored pattern backwards. I’ll end the puzzle talk here, but this is the kind of stuff you can expect coming to DEFCON. Everyone is trying to solve some kind of puzzle, whether it’s a lab, a CTF, or a social engineering exercise.
Friday: Day 1 of DEFCON 30
My shift at the IoT Village each day was 10 AM to 2 PM, but we still had some last moment setup to do, so I arrived early and began setting up Surface Pro tablets, organizing our handouts and so on. Right at 10 AM, we opened up to a flood of people. We were ready for it though, and the hundreds of t-shirts we brought to give away were gone in a matter of minutes. Many attendees who were interested in what ISE did, the beginner labs we set up, or the IoT CTF immediately went to their stations. You could tell right away that the people who were competing in the CTF were there for the long haul and committed themselves to winning.
After the initial rush things calmed down a bit. While we were able to handle the rush, I have to admit it was nice for things to normalize and not have to deal with people surrounding you constantly. I finished my shift and joined my colleague TJ for a short tour of some of the other villages. The ICS Village was interesting to me. That one was focused on threats to critical infrastructure. Ever since the Colonial Pipeline attack, I have taken personal interest in learning more about threats to the country’s core infrastructure.
We also checked out the Car Hacking Village. ISE has a history with car hacking, going back to when we hacked anti-theft systems that were supposedly unbreakable back when our team did it. Since then, computerized vehicles have only become more prevalent, especially as cars become more integrated with other technologies like smartphones. At the village they had a couple cars for demonstration. In case you were under the impression that these cars were locked down, many potential attacks were outlined, such as how wireless commands could be issued to give instructions to the brake system. Imagine driving on the road and suddenly a hacker activates (or deactivates) your brake system without your realization. The implications were significant.
After a few more hours it was time to take a break and relax for the evening. I still had two more days to work, learn and have fun.
Saturday: Day 2
Uh oh. The first couple days of prep and presentation had some consequences. Some of my colleagues were losing their voice from having to talk loudly for most of the day to rise above the constant noise from such a busy event. Fortunately, we have a great team at ISE we all stepped up to pick up for those who were having a difficult time. I decided instead of working just my morning shift that I would stick around the whole day. Famous last words…
I sort of wanted to work the whole day anyway, since Ted Harrington, our Executive Partner’s, book signing was that afternoon. Not only did I want to help manage the crowd, but it just seemed like a fun time. Just like Day 1, there was an initial rush. There definitely were people trying to convince me to let them into the IoT Village early, but I’m no sucker! They even tried to bribe me with donuts. I took the bribe, but didn’t let them in. We had a good laugh about it though and one thing that really sank in that day was that despite perhaps some negative reputation about “evil hackers” at DEFCON, the vast majority of the people I dealt with were kind and were really only interested in learning and participating in the event. Perhaps some who attend are trying to do bad stuff, but the actual “culture” of DEFCON I found to be much more positive and productive than the reputation might suggest.
Our labs for beginner IoT hacking exercises continued to stay busy, even as the general crowd would ebb and flow. It was nice to hear all the positive feedback. Many of the participants were hobbyists or students and this was a great activity for them to cut their teeth, so to speak, on basic hacking.
The book signing went well, and we wrapped the day up. On Day 2 I didn’t really get to explore as much during the day since I was working, but after dinner and drinks with the team, I did get the opportunity to start exploring the party scene at DEFCON. The line for the bar was long, but I had fun going to the Arcade Party and getting some time in with NFL Blitz, NBA Jam, and Marvel Vs. Capcom 2. Then the unexpected happened. A generous soul came up to me, opened his backpack…and handed me a White Claw. No bar line for me. Some heroes don’t wear capes.
Sunday: Day 3
I had my fair share of entertainment the night before, but fortunately I left myself plenty of time for a good night’s sleep entering the last day of DEFCON. While we were expecting a lighter crowd at the IoT Village, I had the sense that this was still a very lively con. Indeed, after getting the tablets set up for the day the lab was pretty much full until the event closed at 2 PM, even with a smaller crowd for the con overall on Sunday.
While the overall intensity of the crowd was a bit lower for the final day, I had some of my better conversations with people, particularly younger people and students looking to get into the industry. One of the benefits of a calmer day is that you can actually hear what people are saying!
It also seemed like the people who were there for Day 3, particularly those involved in the CTF, were the truly committed people. Friday and Saturday definitely had more people who were there to see lots of different things and perhaps were less invested in the competitions and exercises that occurred throughout the event. Sunday when we opened up the IoT Village, the people who were doing CTF made a beeline straight there and began hacking away. I was impressed by the commitment and enthusiasm. We wrapped up mid-afternoon, packed our items heading back to the office and started winding down DEFCON. For me, I was starting to feel the fatigue and turned to In-N-Out Burger and the Blackjack tables to relax. I actually won a little money and I swear it was legitimate. No hacking required, just a little luck.
Later I learned that the IoT Village CTF winners had been awarded a DEFCON Black Badge! So exciting…but what is that? That must be like a black belt or something. Did that mean they could now enforce the DEFCON rules with an iron fist? Maybe it was like a black card and they could go nuts at the DEFCON merch table. Once my colleagues explained the honor of the Black Badge and how winners got lifetime admission to DEFCON, it made me feel proud that the IoT Village played a role in it.
I had some time during my flights back to Baltimore to reflect upon DEFCON. Going into the con, I think my focus was on being prepared to not get hacked and relax a little more about where my time was being spent. In hindsight, I probably didn’t need to be paranoid about being hacked. I could have used the same basic cyber-hygiene approaches all travelers take for a safe trip. If you have interest in DEFCON and the thing holding you back is some kind of worry about your personal safety, I can say that this isn’t a real worry.
There is definitely more going on than there is time for any one person, especially if you are working a booth or have some other commitment specific to DEFCON. I have felt this with other cons in the past, but DEFCON felt particularly “rich” in terms of content. I still think that not having a firm plan is the way to go, because the con is so dynamic, but it would probably be wise to pick at least a few things that you really want to do and leave the schedule open outside of that.
Having the right attitude is important as well. The vibe of the con is relaxed and friendly. I didn’t want to come off as uptight, or salesy, or corporate, or whatever. I wanted to make sure that I took an interest in the people there as opposed to having some kind of agenda. I think this would also extend to not trying to be some know it all. It’s best to come into the con expecting to discover and learn.
It’s perfectly suited for Las Vegas. Not only is Vegas filled with hotels and convention space, but the “sin city” aspect of Las Vegas is in line with the culture of the con. Nobody even blinks when someone walks past in a shirt with profanity on it, or if your hat has an electronic billboard, or maybe if you had a hard night of partying the night before. The tourism economy and culture of the town makes the unusual nature of the con mesh completely.
My colleagues told me before I went that I would have a great time but that when I got back I would be exhausted. They couldn’t have been more right. I returned to my home tired from all the activity, but also excited thinking about next year’s DEFCON! Now if you’ll excuse me, I must report to my contact at the FBI to inform them about all the “interesting” people I met. Just kidding!