def con 25: mental notes

Notes from Def Con 2017

After over a decade of excuses, I finally made it out to Def Con. I didn’t know what to expect but that’s why I went and the “Con” didn’t disappoint!

The security community is global and significant. Almost every session I attended was near max capacity and the venue at Caesars Palace is as big as a mega-mall so physical space was not the limiting factor. It is estimated that ~25,000 people attended this year’s Def Con.

Despite its size, Def Con still has an underground “hacker” vibe. As far as I know, Def Con doesn’t do any marketing and tickets are only sold cash at the door with no pre-registration of any kind. At Def Con you won’t find any mega-booths from Microsoft, Cisco or others. Instead, smaller organizations and non-profits like the Electronic Freedom Foundation have a presence. This was particularly refreshing for those of us who dislike today’s huge commercial mega-conferences.

Talks are casual and focus primarily on “zero-day” demo-able security vulnerabilities, tools, or findings. Getting selected to speak at Def Con is no easy feat. Among the requirements Def Con is looking for, your topic has to be something that isn’t public yet and can be demoed on stage. It has to be unique, impressive and “zero-day” i.e. disclosed publicly for the first time. This is also why you’ll find a variety of well-known government agencies, press and private companies among the attendees.

Everything is vulnerable but working together reduces our exposure. When you see just how easy it is for devices and software to be exploited, it’s tough not to be worried (paranoid?). Among the highlights this year, US electronic voting machines were exploited live in just a few hours. With a growing number of devices coming online, the security threats are real. One of the objectives of Def Con is to distribute the latest security information and techniques to encourage better, safer practices that protect us. Bad actors aside, I think this model works better than secrecy.

Rod wrote this on