A couple of coworkers who have never been to DEF CON, BSides Las Vegas or Black Hat (collectively, “Hacker Summer Camp”) asked me about planning their first trips, so I decided to collect my tips here. I’m going to be splitting my advice into two parts: this planning guide for travel/scheduling/registration information, and a Hacker Summer Camp survival guide for advice that’s more relevant while you’re at the conferences.
Manage Your Energy
There’s a lot to do, the hours tend to be long, and unless you’re used to both the environment (typically hot, this is Las Vegas in August!) and the crowds, it’s going to burn a lot more energy than you’re going to expect. Two years ago, I attended all 3 of the conferences, helped run a company suite, and taught classes at R00tz (formerly DEF CON Kids). This was a serious mistake on my part, and failure to manage my energy adequately. I ended up not getting as much out of any of the events as I should have, and when I returned, I ended up sick for several days due to the toll of these events on my body. It was more than a full week afterwards before I felt fully recovered.
If this is your first time, don’t try to do everything. Firstly, it’s just not possible, and secondly, you will destroy yourself trying to do so. Prioritize, and make yourself okay with the fact that some things you’ll just miss out on. For myself, the most important parts of the week are:
- Activities – I learn more by doing than by listening to some speaker try to tell you what he did in 45 minutes. I typically play in the BSides LV CTF and Capture the Packet at DEF CON. Others might find the DEF CON Shoot to their liking. (I’d probably like it too, but always end up busy on Thursday.)
- Villages – Villages are a set of topical/related presentations and activities that are presented by people who are very into the particular topic. I’ll usually visit the tamper-evident village, lockpicking village, wireless village, and whatever is new. If you’ve never tried picking a lock, it’s really interesting just to see how the process goes, and the guys in the lockpicking village can tell you anything you wanted to know about any lock.
- Networking – One of the most important aspects of DEF CON is networking, and it’s not just about lining up your next job. This industry is full of back-channel connections that help you get information, securely report a vulnerability, or help you find a solution to a problem. You’ll find out things that aren’t publicly known, learn who to talk to about esoteric technology, and generally meet some great people.
- Talks – Talks are good and are obviously a core part of all of the conferences, but to me, they take a back seat to the above categories. This isn’t because I don’t like the talks (I do!) but because the other categories require your in-person presence and participation. Unless you want to ask the presenter a question, the talk won’t be recorded, or you really want to know about it before the recording becomes available, being there in person adds very little to the value of a talk.
- Parties – Rumor has it that DEF CON, Black Hat, and BSides may also have parties. These rumors are completely unfounded. There is absolutely no partying, live music, alcohol consumption, or any other fun to be had in Las Vegas during these events.
Scheduling
Black Hat Briefings are Wednesday and Thursday, with trainings either Saturday-Sunday or Monday-Tuesday (or sometimes covering both for bigger trainings). BSides LV is Tuesday and Wednesday, with a pretty full schedule both days. DEF CON is Thursday-Sunday, but Thursday doesn’t really get started until the afternoon (and even then, the villages have not historically been open), and things start to wind down a little bit Sunday afternoon, so Friday and Saturday are the “core” for DEF CON.
1 Conference, 2 Conferences, 3 Conferences?
So which conferences do you want to go to? Well, that really depends on what you’re looking for. I strongly suggest not trying to do all 3: you’ll end up just half-doing all 3. (This is borne out by personal experience.) Here’s what I see as the tradeoffs:
Common Elements
All 3 conferences have excellent technical content, and many of the presentations will be at more than one conference. Many of the attendees will be at more than one as well, so you’ll be running in to the same people throughout the week.
DEF CON
DEF CON is, by far, the biggest of the 3 conferences – reportedly somewhere around 14,000 attendees. It has the most hands-on activities with the villages, and most of the parties (oh wait, what happens in Vegas stays in Vegas…). DEF CON is somewhere between casual and chaotic, and is, of course, the conference that started the whole week of Hacker Summer Camp 24 years ago. For me, DEF CON is the “can’t miss” part of the week, as it has the most learning opportunities, most social networking opportunities, and most of the people I look to catch up with will be at DEF CON. The Vendor area at DEF CON is not a trade show – it’s suppliers who will sell you tools, books, parts, lockpicks, t-shirts, and other things for the individual to use, rather than a “turnkey enterprise solution.”
Black Hat
Black Hat is the business side of the week. If you’re most comfortable in a shirt and khakis, then this might be the conference for you. If you need a large trade show-esque vendor area, they have it. The talks remain high-quality, but it’s definitely got the feeling of corporate-run, enterprise-focused, and very little “community.” It’s also worth noting that Black Hat is an order of magnitude more expensive than DEF CON, so that may influence your choices.
BSides Las Vegas
BSides LV started as the “B-Side” to Black Hat: an opportunity for smaller presenters, attendees without the budget for Black Hat, and more. It’s grown into a network of regional conferences, and has expanded to a number of tracks of talks in Las Vegas. Most interestingly, they have a track dedicated to first time speakers, so you can get to meet some up and coming presenters and support those new to the scene. BSides is the most calm and laid-back of the 3 conferences, and a very casual environment. BSides is also the cheapest ($25 last year, if I recall correctly) and held at a hotel with dirt-cheap room rates ($49/night or so), so is clearly a way for a hacker on a budget to enjoy hacker summer camp. (They also offer a shuttle between the BSides hotel and DEF CON, so you can enjoy their low room rate all week!)
Travel
I’m told driving to DEF CON can be a great deal of fun when done with the right people, but I haven’t managed to do so myself. I imagine doing it yourself isn’t much fun. Do keep in mind that you’ll be driving through the desert, so a reliable vehicle is a must, and bring water, just in case.
Las Vegas, as a center of tourist travel, has relatively convenient air travel options from pretty much anywhere. From the SF Bay Area, there’s several direct flights a day from any of the 3 local airports, and on several airlines, and it’s just over an hour gate-to-gate. Keep an eye on airfare early and look for deals – booking early can easily save more than $100 on airfare. When planning, particularly for your departure from Las Vegas, please keep in mind that DEF CON travelers on Sunday evening are numerous enough to cause significant delay at airport check-in and security, so allow extra time.
Hotel
There’s two schools of thought on hotel: stay at the conference hotel (for one of the conferences, if doing more than one), or stay away from the conference hotel. I personally prefer the DEF CON hotel (i.e., Bally’s or Paris for DEF CON 24), but I’ll review the pros/cons of each so you can make up your own mind:
Staying at the Conference Hotel
- (Pro) You can easily get back to your hotel room after evening “social activities”.
- (Pro) It’s easy to dump stuff in your room so you don’t have to carry everything around. (This can be somewhat mitigated if you have a friend staying there.)
- (Pro) It’s fun to meet random people from the con around the hotel.
- (Pro) Usually, DEF CON sets up “DEF CON TV” to the rooms in the DEF CON hotels, which will live stream the talks, so if there’s one you really want to see but the room is slammed, you can watch it from your room. (Or you can hang out with some new friends, drink a couple of beers, and watch talks from your room.)
- (Con) Everywhere at the hotel will be busy. Everywhere. Every bar, restaurant, and shop, will be slammed at all hours. Seriously.
Staying Elsewhere
- (Pro) You get a break by getting away from the conference. This can be a good option for introverts. (Though I personally find going to my room enough for that – I usually need to do so about once per day to mentally recharge.)
- (Pro) You can often find much better deals off site, especially if you start looking early. DEF CON even has room block that is close by, but not Paris/Bally’s, and is generally cheaper than those hotels.
- (Pro) Food options will be much less busy than at the conference hotel.
- (Con) You’ll need to get back and forth to the conference, which may negate some of the potential savings. (You may think you can walk, but temperatures during this week often exceed 100°F (38°C))
Other Things to Be Aware Of
- As of DEF CON 24, registration is $240, cash only at the door. Since DEF CON 20, pricing has fairly consistently been ($year * $10) – so $200 at DC 20, $220 at DC 22, $230 at DC 23, and this year will be $240 for DC 24. While historically, there have been crazy waits for badges, registration got much better with DEF CON 23.
- Currently, even numbered years get electronic badges, and odd numbered years get non-electronic badges. The electronic badges tend to run out, so you may want to make sure you get a badge on Thursday (they’re usually good through Thursday) if that’s important to you.
- International travelers: Las Vegas basically runs on tips. Nearly everyone expects to be tipped.
- Be an active participant. I’ve personally spent too much time not participating: not talking, not engaging, not doing. You won’t get the most out of this week by being a wallflower.
Resources
There are a lot of resources for finding out more about what’s going on. Obviously, the conference websites are your first stop, but as DEF CON is a large community event, there’s also more opportunities out there:
Conclusion
I hope this proves helpful to those new to DEF CON. Get out there, meet people, and have fun. If you’re a seasoned veteran and see some suggestions I’ve missed, please email me or find me on twitter: @matir with your suggestion and I’ll add it.
Thanks to the @dc404 group for some of the additions and suggestions!