Four Years In Infosec First Year In Vegas: My Thoughts On Def Con and BSidesLV
BSidesLV 2016 and Def Con 24 comprised my first experience of “Hacker Summer Camp”. I’ve now been working in information security for four years, have attended a handful of conferences, and have spoken at a number of both conferences and meetups. I personally feel that I have a good handle and understanding of the culture of the industry and mostly went into the week knowing what to expect. There were some great things and some not so great things. Here are just a few.
Old Friends and New Friends
I enjoyed seeing people who I knew of from the Internet but had never met in person. For example,
@Andrew___Morris gave a fantastic talk about how he got the Bitcoin blockchain into a queryable database of transactions. It was him who taught me how to reverse engineer simple malware using gdb, yet I had never met the guy in real life. That was cool. Or one morning as we were walking from our room in the Tuscany to BSides, we were stopped by a woman asking if she could follow us because she didn’t know where she was going. Who was it? None other than, Katie Moussouris. Ironically I didn’t see Jack Daniel at BSidesLV, but I did at BSidesSLC. Go figure.
I have been told that “hallway con” is the best part of any conference and I totally agree. Essentially, hallway con is networking, talking to people waiting in the same line as you, learning about what they work on, what their aspirations are, etc. I would not be at my current job if it weren’t for some good old fashioned hallway con. Reconnecting with old friends and making new ones is probably the best thing you can do at any conference. It is sometimes easier to do that at certain events than it is others, largely due to the organization of a conference. A good conference will take advantage of their venue and orient their speaking and workshops rooms to facilitate mingling.
Both venues had their pros and cons. BSidesLV was organized and laid out in a very sensical manner that was easy to get around. The large vendor and keynote room provided a nice gateway to the majority of the tracks. I loved that as you walked out of talks you immediately felt like you were in the middle of everything else happening at the conference again. However, the Underground track was not in a room near the vendor area. The hallway in which it was found was fairly narrow. Every talk in that track had a serpentine line up and down the hallway making it very hard and uncomfortable for those not waiting in line to pass. As BSides grows I don’t see the Tuscany being able to accommodate many more participants than it already is, but don’t quote me on that ;)
Bally’s and Paris were just short of a nightmare: crowded bathrooms, restaurants, elevators, hallways, workshops, lines, and talks all with a slightly different brand of post-deodorant body odor. Granted, holding a conference of over 30,000 people is going to be tough in any hotel on the Strip. Which raises the question: why is Def Con still held in a hotel? Why don’t they move it to an actual convention center that is made to handle that type of attendance. I am willing to bet that the Def Con committee is sick of hearing complaints like this, but I am also willing to bet that Bally’s and Paris give them a killer deal every year. Next year they’re moving it to Caeser’s Palace which may not be prone to the same stand-still foot traffic in every hallway, but I am not holding my breath. Plus, having it at a bigger venue is sure to relieve stress on conference security, or more affectionately referred to as “Goons”.
Ok, I’m sorry but some of the Goons at Def Con need to step off their pedestal. The first day of Def Con we wanted to get into some workshops, but just like everyone else, we didn’t get our badges in time to make workshop registration. We were told by a friendly Goon that we could try and get in on standby but after we crossed Bally’s casino and got to the bottom of the escalator to go up to the workshops on the third floor, we were met by a very unfriendly Goon who rudely told us there was no way we were going to get into a workshop. I verbally pushed back in a similar tone insisting that we go up and try. After a bit of not-so-playful banter, he gave in. On our way up he reiterated in a very condescending tone that we weren’t going to get in. Once we got to the third floor they asked us what workshop we wanted to go to and let us right in.
The next day we were leaving the Social Engineering Village and heading towards Bally’s Casino when we heard yelling. I immediately thought it was a Goon. I looked up to see a very petite, short woman yelling something to the effect of “If you cut the line I will grab you and personally escort you to the back of it!” I started to chuckle at the thought of her little figure dragging someone to the back of the line when someone behind me said, “You need to check your attitude lady”, with which I completely agreed. I mean she was yelling at the top of her lungs in a very aggressive tone for what appeared to be no reason at all. I had not seen anyone push or try to cross the orange line they had to partition lanes of foot traffic. The same guy then followed up by asking her “I have Xanax in my backpack, would you like one?”
Don’t get me wrong, there were some very nice Goons that were authoritative, direct, and effective in getting people to where they need to go. But there were a good amount that definitely needed to take a little bit of something to calm their nerves. Just because you are a Goon helping direct affairs at the largest infosec conference doesn’t mean you’re any better, smarter, cooler, or 1337er than anyone else there. It definitely doesn’t mean you can disrespect the attendees.
I am not sure I have anything negative to say about any of the villages I attended. Admittedly, I spent the most time in the Packet Village (PV) and the Social Engineering Village (SEV) and both were run beautifully. The PV had four or five challenges running simultaneously as well as a speakers. Their speaking track got so popular that they were breaking fire code and had to quickly move the stage, A/V equipment, and chairs just outside of their booked room in order to accommodate. I was impressed.
The SEV is an obvious favorite by many at Def Con, especially when they are running their CTF. Who doesn’t love watching security professionals trying to take advantage of poorly trained employees and get as much information out of them as possible? I only had the opportunity to listen in on three contestant’s calls and only one was particularly entertaining, but that was just luck of the draw. I still enjoyed it!
I didn’t realize just how many villages and CTFs there actually are at Def Con. I had no idea there was an Intel CTF, that is my fault for not reading the program in its entirety. I believe this was its first year and you better believe I will be competing next year! At other conferences I have attended, I have typically found more value in the CTFs and villages than in the talks. I do not think Def Con and BSidesLV are any different. You only get to experience the CTFs and village challenges in the moment, while most talks will be on Youtube within a few weeks after the con. In addition, hallway con is much easier in a village or CTF environment where collaboration is a must, rather than a talk where talking is rude. However, there are always a few talks that pique my interest so much that I do my best to attend them live.
Underground and Skytalks Tracks
These were two tracks that I was very excited for. Researchers and professionals talking about their discoveries and opinions off the record. The idea that they feel that what they are going to say is so sensitive that it shouldn’t be recorded immediately makes the topic intriguing. However, I must say that I was fairly disappointed with the content of most of the presentations I attended.
I went to three Underground talks at BSides and two Skytalks at Def Con. Of the five, only one did I feel was sufficiently sensitive enough to warrant an off the record setting. For another, I believe the situation was a bit touchy and I could see why the presenter wouldn’t want proof that he revealed what he did, but the content of his talk wasn’t anything that I couldn’t go learn myself on the Internet. The other three, while containing interesting content, didn’t contain any sort of sensitive information at all. In fact in the last one I attended, the presenter wanted to record the talk himself, but Skytalks rightfully told him not to. Like any organization, I think it’s important that they don’t compromise what they originally organized to accomplish.
My experience in the two tracks got me thinking that perhaps the CFP process should be a little more strict in both cases. Granted, I have never been on a CFP committee nor do I know the circumstances of either track’s committee this year, but just because you are an off the record track at a three day conference doesn’t mean that you have to provide content for all three days. I feel that the committees would be doing a greater service to their attendees and the community by more strictly screening the content of each applicant’s talk in order to verify that it really should be delivered in such a private setting. That’s not to say that the rejected talks are not be comprised of great content, but rather they don’t belong in a setting provided by the Underground or Skytalks tracks, which implies a certain level of sensitivity.
If any member of either the Skytalks or BSidesLV CFP committees is reading this, I would love to get involved. Your mission is definitely something I relate to and support. If you’re interested, feel free to email me or reach out to me on Twitter.
Everyone hates scrolling through their Facebook or Twitter feeds to see a title such as “What she says next will shock you” and, for the most part, we are all conditioned to not pay attention to such titles anymore. I feel that infosec conferences have a similar problem with the titles of their talks. The problem is not nearly as blatant as that, but there were several talks I attended whose content was very different than what the title — and in some cases even the abstract — led me to believe.
This is also partially due to the fact that not everyone in the industry is the best public speaker, but that’s ok. Sometimes presenters assume that they are conveying what they want to, when in reality their audience is very lost. A good speaker takes time to explain things and make sure the audience is understanding by asking questions. Honestly, audience engagement is key to any successful speaking opportunity. I feel the quality of all conferences would improve tremendously if they provided workshops for their speakers in both title/abstract writing and public speaking. I’m sure many conference committee members are rolling their eyes at me right now. I know, you’re on a budget and your volunteers are already stretched thin. Maybe take the same approach BSidesLV does with their Proving Ground track and assign volunteer mentors to beginning speakers or others who request it. If you do have the time and resources to offer a couple of public speaking workshops before your event, do it!
Again, if you are on a conference committee and looking for help, I’d love to get involved!
You may be wondering why in much of this post I have been referring to a “we” rather than “I”. No, I don’t have an alternate personality. Rather, my wife and I attended both conferences together. She is a software engineer with interests in security and privacy. Even though it was the first time for both of us, she was treated extremely differently than how I was treated. I’m not talking about your normal getting hit on at all the Blackhat and Def Con parties, which did happen (she was sitting right next to me too). But rather, everywhere we went she was treated as a tag along. I won’t go into too much detail because she wrote her own post explaining it herself. But I will say that her experience inspired me to help women feel more inclusive in the industry.
I do think that the infosec industry is beginning to make significant progress on this, but we still have quite a ways to go. WISP, Women in Security and Privacy, is a newer organization dedicated to this cause. They had a booth in the vendor area at Def Con for the first time this year. In talking to them, it was obvious that this was an organization that I want to throw my support to. If you feel the same way about women in security, check them out and get involved!
Overall, summer camp was a very positive experience with a few bad side effects. The parties were fun, I met a lot of smart people, and I left inspired to be a better security professional and community member. That said, I will be doing many things differently next year. I hope to present a demo in Def Con’s new Demo Labs area. I’m always working on a project at home and that would be a great venue to show something off. As stated above, I also hope to participate in a couple of CTFs next year. And, who knows, perhaps I’ll even submit to present at BSidesLV and/or Def Con next year. We’ll just have to see.
I hope my goals to get involved with WISP and CFP committees can help improve the security community as a whole. I’m still young and have a long time to spend in the industry, and while I love it in it’s current state, there is much room for improvement.
Thanks for a great week BSidesLV and Def Con!