Published on August 5th, 2019 📆 | 5741 Views ⚑0
How to avoid getting burned at Black Hat, destroyed at DEF CON or blindsided by Bsides • The Register
Black Hat It’s that time of year again and the world’s white, grey and the occasional black-hat hackers descends into the fetid hell that is Las Vegas in August for a week of conferences, community conflabs and catching up with old friends.
What started as a bunch of friends hanging out in a cheap hotel has grown into the largest assembly of computer security talent in the world. The conference space of five hotels is going to be filled with exhibitions, hawkers and hackers, all trying to pull stuff down or push it across in the 40˚C+ (100˚F+) Vegas heat.
It’s a brutal conference schedule and one that punishes the unprepared, so we’ve polled old attendees for their advice on how best to ride out summer camp.
There are three overlapping shindigs this week – Bsides LV, Black Hat and DEF CON – and all cater to slightly different groups. The biggest, by attendance, is Black Hat, which has morphed and swollen from its original incarnation to become a five-day training and conference session. While the quality of the talks is usually good, it’s increasingly a vendor show – give it a few more years and Black Hat could end up as RSA with hookers.
Black Hat was founded by Jeff Moss – aka Dark Tangent – in part to pay for DEF CON, which is the largest gathering of non-corporate hackers in the world. You won’t see suits at DEF CON; the talks are generally more advanced and edgy, and the space is littered with specialist villages for lockpickers, aviation and car hackers, and social engineering zones.
But just like Black Hat, DEF CON has metastasized and has tens of thousands of visitors and now sprawls over three different hotels, leading to some say it’s just become too big. So if you want the DEF CON as was, then head to the first conference of the week, Bsides. It’s held at the much smaller Tuscany venue and is strictly limited by size, but there are some fascinating talks and it’s a very friendly and open crowd.
Keen hackers tend to book Bsides (Tuesday to Wednesday) and then move to DEF CON, which runs from Thursday to sometime around the start of the week (depending on how long booze supplies hold out). Black Hat, or at least the training sessions it runs, kicked off on Sunday but the main briefing sessions are held on Wednesday and Thursday.
Am I going to get hacked?
It’s part of the mythology of the week that everyone has to be hyper-aware of the dangers of being hacked. But the truth is you’re probably going to be fine.
It’s really only DEF CON where people are actively going to be scanning for unsafe machines and flagging them, and even then it’s considered very bad form to get malicious about it. Yes, some details about vulnerable systems are displayed on the infamous Wall of Sheep, but that’s about the limit of it.
In 10 years of hacker camp attendance I’ve only had one minor case of someone trying to attack another email to my account, and I suspect that was down to accidentally logging onto the main conference Wi-Fi network without the proper precautions. Bsides is even better, and while the main network comes with a warning just in case, this hack hasn’t heard of anyone getting hit.
Attendees trying to hack each other at Black Hat hasn’t really happened for years; the last incident that got people expelled was nearly a decade ago and was largely harmless, if annoying. Now there’s a massive effort to keep the network clean and it appears to be working.
Some insist on bringing burner kit to the conferences, but an unofficial straw poll suggests that these are more for the over-cautious. And you can always spot the overly paranoid – they are the ones who cover off their USB ports. Seriously, just don’t leave your hardware unattended.
In the traditional security tradeoff between convenience and good sense I’d recommend avoiding the main networks, making sure you never auto-connect to a network. Instead rely on a hotspot and VPN, keeping your phone off or in airplane mode until needed, shutting down Wi-Fi unless you need it, and avoiding Bluetooth. That’s probably overkill for Black Hat and Bsides, but may be underdoing it for DEF CON.
Don’t take a shoeing, or sickness
The geography of the shows are such that you’re going to spend a lot of time on your feet and veterans are almost unanimous in the need for good footwear.
Pick your routes between venues carefully as the Vegas sun is crushingly hot at this time of year so walk as little as possible. Taxis are a very mixed bag – the Strip can be snail-like at rush hour and you need to allow a lot of time for shifting between venues. There is a bus service but it’s as slow as a taxi, although cheaper.
At Black Hat there are three floors and an exhibition space to navigate. You spend a fair amount of time lining up and if you think those fancy leather loafers are going to cut it you could be heading for a blistery hell. Heels for women are also ill advised.
At DEF CON the queues are worse – much worse – and the distances greater, and opportunities to sit down outside of sessions are few and far between. Bsides is the easiest show on the feet, but oddly one of the more confusing to navigate, given the warren-like venue.
Sneakers (or trainers in UK-speak) seem to be a good compromise, and I’ve seen some people swear by boots. I’ve also seen a lot of people swear at sandals, usually by day three when the blistering really kicks in.
You might think that with the heat that sandals would be the thing to go for but most of the time attendees are in air-conditioned halls. These are warm (thanks to body heat) in crowded sessions like keynotes, but for less-crowded sessions it can get chilly.
This shifting between blazing sunshine and chilly halls isn’t great for the body and then you have to factor in the mixing of thousands of people from around the world. Unless you take precautions like layering up, good hygiene and lots of hand washing then you’ll be heading for a ripe case of conference cough.
Above all, hydrate. All of the venues have frequent water coolers and make sure you use them. And try to bring your own water bottle to save on the use of the crappy plastic glasses the hotels are still favouring.
Planning prevents poor performance
Frankly, you’re never going to get to see everything you want to at these shows.
At Black Hat you’re looking at seven or eight different talks every hour or so. DEF CON typically had four main tracks but a host of other talks, and Bsides has a very busy schedule. Once you factor in travel time between rooms then stuff is going to get missed.
On the plus side, DEF CON and Bsides video most presentations and put them online later in the year. That way if you’re really jonesing to see something you can catch up on it later. Black Hat has a similar service but charges for it.
So work out what you really want to get to and focus on that. This works well for Black Hat and Bsides but DEF CON has now grown so large that you’ll have to start lining up early. At keynote and popular sessions you’ll need to be in line at least half an hour, or preferably double that, to get in.
That said, if you can’t get into your chosen talk DEF CON is the best conference to just mooch around in. Go and visit some of the Villages to learn something new, check out side events, or just hang out in the bar area and talk to people. It’s amazing who you can meet.
And remember, hacker camp is a sprint, not a race. Try to do too much and you’ll burn out quickly. Slow and steady wins this race. ®
MCubed – The ML, AI and Analytics conference from The Register.