My Blackhat, BsidesLV and DefCon Experience

This was my first trip to BlackHat, BsidesLV and DefCon. It was my first trip to the States altogether and it’s very easy for one to get overwhelmed with Vegas itself, being dazzled by the bright lights, loud music and pretty people.

There have been many blog posts explaining the good, the bad and the ugly of all the conferences so I won’t repeat them all. However, as a first timer, I must say that I was taken aback by the sheer size of venues one cannot fathom the number of people just bustling through corridors at all times. Being used more European conferences which are on a smaller scale and you know nearly everybody in attendance, it can be quite disorienting, but at the same time you get a true feel for how insignificant you really are in the big scheme of things. Not that I ever considered myself to be anything more than insignificant.

Anyway, I arrived in Vegas and was given a warm welcome by the DHS who wanted to ask me a few extra questions. I doubt it had anything to do with racially profiling at all, it’s just a coincidence that I’m brown and have a funny sounding name. Anyway, after the short chit chat, I went on my merry way. I found it quite amusing walking out of the airport to see a big sign advertising that I could go and shoot a real machine gun in the desert. Sounded like it could be fun, but I really wasn’t in the mood for any extra questioning as to why a bearded guy wanted to shoot some guns.

Stepping out of the airport, the hot desert heat hit me and for a minute I felt like my skin was about to burn off. Nothing quite dramatic happened and I managed to find my shuttle bus to take me to my hotel. Reaching the hotel on the strip, the one thing that stands out is the grand scale of things. Hotels tower over you and have magnificent decor to lure you in. You see an Eiffel Tower, Gondola’s, water fountains, pirate ships and many more sites that give you the feeling that someone went around the world, picked up some of the most magnificent structures and plonked them slap bang in the middle of the Las Vegas Strip.

Getting around Vegas can be a bit problematic, First off things aren’t as close as what you may think. Getting from your room to the hotel lobby to the road can take a considerable amount of time so where is you might think that hotel with the pretty fountains its just next and all it may take a very long time. This is not helped by the fact that it is very very hot, so a short walk can leave you drenched in sweat which is not a good look when going to a conference. Which leads the option of taking a taxi, but even that can get very expensive. If you’re planning on staying there for any period of time, it may be convenient to hire a car. Parking is free in all hotels I visited and it does work out cheaper than taking taxi’s. Unless of course you go to conferences to take advantage of the copious amount of free liquor available, in which case driving probably isn’t a good idea.

 

I did manage to hire a car for one day and take a trip out of Vegas to visit Red Rock Canyon, which I’d recommend. If for nothing else, just the opportunity to escape the hustle of the Strip and find a quiet place to contemplate, relax and enjoy nature.

Blackhat was held in the grand location of Caesars Palace over 2 floors and a labyrinth of rooms. On the first day I stood by the main escalators for a while, which proved to be a good strategy as I managed to bump into many people who I knew or who knew me. I figured the breakdown of people worked out a bit like so:

 

 

With Paul Dot Com 

Out of the few people who I did stop to chat with, I managed to snag some pictures with a couple. It kind of feels in some ways like being on a movie set. You see all these people who you’ve followed on twitter, or read their blogs or heard on podcasts and end up freaking out a little over that you’re in the same room as them and can think of nothing other than “quick let me get a picture with them or no-one will believe me” despite the fact that no-one outside of security knows them anyway. For all intents and purposes, I could have taken a picture with the janitor and come home and told my family and friends that he was an information security Nobel peace prize winner and they’d be none the wiser.

 

I was warned by my boss when I took my job that although I’ll get to go to conferences, the life of an analyst will probably take away most of the charm, and she was right. I spent most of the two days of Blackhat locked in vendor briefings. Which wasn’t too bad as I got to meet a lot of very interesting people. The downside is that I didn’t get to attend any of the talks. However, speaking to many people who did attend the talks at Blackhat, the overwhelming response was that there was nothing special about any of them. With the biggest disappointment being the Apple presentation.

 

The lack of quality in the talks wasn’t just restricted to Blackhat, it extended to DefCon too and speaking with a few people the general consensus was two-fold. Firstly, there has been an explosion in the number of local conferences held over the last few years. Meaning that people don’t have to wait till Blackhat or DefCon in order to unveil their latest and greatest discovery – that’s assuming their talk will even get accepted. So the whole impact of one revelation after another has got diluted across the year and across the globe. The second factor that has probably influenced this has been the maturity of vulnerability disclosure processes. No longer do vendors only find out vulnerabilities when the speaker announces them on stage, rather there is generally a process in place to disclose these well in advance of it becoming public.

 

These are good theories and probably go a long way in explaining the reasons for the weaker talks… except, there’s something that blows a massive hole in this argument; BSidesLV. Yep, the grandaddy of all Bsides, which I managed to slip away to for one afternoon. The few talks I did manage to see were undoubtedly very good. In particular the underground track where talks weren’t recorded and the speakers felt free to share intimate details of their research and discoveries. In particular I attended a talk by HD Moore in the underground track that genuinely got me excited about security in a way that I haven’t been in a long time. It does get one thinking that if a small event like BsidesLV can get great talks and engage an audience, then what has happened to Blackhat and DefCon? Where has the magic been lost and how can it be recaptured, or is this just the natural growth path of any con?

 

Overall though, Blackhat was very well organised. All facilities were impressive, despite the large number of attendees, there weren’t any choke points and everything was smoothly run. But – despite all this, I felt like something was missing. Growing up hearing stories of Blackhat and thinking I’d visit some day, I was expecting something else. I’m not sure what, but it seemed a bit too polished and too corporate compared to what I had in mind.

 

Rolling on next we had DefCon and to be honest, I’d be lying if I said I wasn’t a bit apprehensive about it. I’d heard many stories, nearly all of them negative. Reading up on past blogs didn’t help. I fully expected to witness a bunch of crazy people running around stealing items from each other, rooting devices, a place where the goons (staff) were going to be rude and women couldn’t walk more than 5 feet without being molested.

 

The reality I saw was quite the opposite. I found DefCon to be extremely well organised, staff were very polite and helpful and there were women walking around freely without being harassed. On scale, DefCon is a whole other beast. With estimates of over 16000 people in attendance you can both feel like this is the best place you’d ever want to be or the loneliest place you’ll ever be depending on how many people you know. I attended a couple of talks, but for the most part this was a giant hallway con for me. I caught up with so many people and was extremely flattered when a few people came up to me having recognised me from my videos.

 

More than anything you appreciate how important a face to face meeting with someone really is. Social media is great and we can stay connected all the time. But there were some people who I chat to a lot on twitter for example, whom when we met, ended up with not a great deal to say. On the other hand there are others whom I hardly or never spoke to before, or whose blogs I may follow and had a preconceived notion of them being old or rude or immature, yet when I met them I realised they were actually cool people with whom I would happily hang out with.

 

So I’d give DefCon the edge over Blackhat purely because there are so many more people  who attend who you can socialise with and at $200 entry for DefCon which is approximately 10 times cheaper than Blackhat, it’s easy to see why. In terms of talks, I’d still say BSidesLV was the best, but that really is based only upon a couple of talks so people may have differing opinions on that.

 

Which brings me onto the other side of this week in Vegas, that being the vendor parties. For someone like me who doesn’t drink, doesn’t gamble and would rather have a quieter chat with 4 friends over dinner, these parties are where it all starts to go downhill. With free alcohol flowing at most, loud music and scantily-clad women entertaining, it gets rather tacky. If you’re the type of person who gets offended by booth babes at conferences, then you’d probably have a minor stroke at the sight of these vendor-fuelled boozefests. It turns into a club 18-30 in Ibiza. If the DJ were taking any requests, I’d just ask them to “turn it down a little”.

 

This is where I’m assuming all the tales of rude staff, fights and women getting groped come from, and that’s not surprising. You take a bunch of people out of their usual environment, they are in Vegas which isn’t called “sin city” for nothing and then you ply them with copious amounts of booze then are surprised when people act obnoxiously?

 

Many women have complained about DefCon being a male dominated culture where women aren’t valued and this being representative of the security industry at large. Personally, I just think this is a typical alcohol fueled culture. You could go out to any club or city centre in most western countries and experience pretty much the same behaviour – if not a lot worse. So I think it’s wrong to blame the security industry (whatever that means) and accept that it is a recipe where this will naturally happen as a matter of course given what happens in society at large. Someone I was speaking to at Bsides explained it quite well, saying that what happens is people get confused. You put these professionals in an environment with their peers and there is usually a lot of respect. Mix in alcohol and scantily clad women, music, bright lights and people aren’t sure how to act anymore. Is it a professional relationship you have, or are you now friends or what?

 

I don’t want to come over as preachy and judgmental trying to point out the moral ills with society. I’m just saying that it’s not just women who’d rather avoid these parties and it’s not just me, I met a number of people who shared the same sentiment. To which I look around and realised something. The people who were attending Blackhat and Defcon 15 or 20 years ago are a lot older than what they used to be. We’re not talking about 20 year old punks wanting to break everything and anything just because they can. We’re talking about 40 somethings with senior positions in companies and families who don’t want to see the world burn. These guys shouldn’t be partying till 3am only to be on a panel discussion the next morning at 10am. Therefore, my suggestion would be to start off an old persons con. You know a con which caters for zimmerframes and people don’t shout, unless of course its because the batteries in your hearing aid have run out and you need people to shout at you. Maybe focus less on cutting edge sexy new hacks and focus more on the good old days when we used to look after things manually, and that’s exactly how we liked it. Designated nap areas can be provided where delegates can have a lie down mid-day or simply use it as a private place to take medication. Then in the evening the entertainment would be a game of charades or a 70’s style disco before retiring to bed by 9:30pm with a warm mug of hot chocolate.

Until that day, I still have my infosec dance moves.