In February, I wrote a guide to planning travel for BSides, Black Hat, and DEF CON, occasionally referred to as “Hacker Summer Camp.” In my original post, I promised an update with information about your actual travels to BSides, Black Hat, and DEF CON: what to bring, what to do, and how best to stay out of trouble. This is my best advice on that, but I’m sure others have differing opinions.
Health and Safety
I discussed the idea of managing your energy in the first post, but I can’t stress enough how important that is. Las Vegas is hot, there’s a lot going on, and so it’s easy to not realize how much you’ve burned yourself out. Take your time and don’t try to do everything – it’s not possible and you’ll make yourself sick in the process.
DEF CON 101 attendees will hear about the “3-2-1” rule. No, it’s not some new variation on the TSA’s 3-1-1 rule, it’s the guideline for personal survival at DEF CON: 3 hours of sleep, 2 meals, and 1 shower. Per day. Every day. Please follow at least this! Many days you may want to shower more than once, and I’d strongly encourage that – you’ll be packed into rooms with 15,000 of your (soon to be) closest friends, and there’s nothing that will make it harder to network and meet people than smelling like a gym with no ventilation. So I will also add: use deodorant. If you start to smell, take a shower, don’t just try to cover it up with some kind of body spray. Body spray just means you smell like sweat and some $4.99 crap you got from the checkout register.
This is a good time to mention hydration: it’s Las Vegas, which means it will be dry and hot, which is the recipe for dehydration. So is moving around a lot. So you need to always be drinking, and I don’t just mean Beer, Gin & Tonic, or Vodka & Red Bull. Drink lots of water. If at any point you get headaches, nauseated, or generally feel like crap, odds are you’re dehydrated and water will help. Money saving tip: if you want bottled water, buy water from a drugstore or convenience store on the strip (or if you’re driving, bring it with you). It will be much cheaper than buying it in any of the hotels.
Finally, a word about physical safety: keep your wits about you. DEF CON gets attendees of all sorts, and you’re in Las Vegas, a city known for clueless tourists, so there’s plenty of opportunity for thieves and other criminals. Know where your stuff is at all times, and don’t leave it unattended. Don’t look like a conference attendee outside the hotel, and if you’re out very late at night, being with others will help ensure your safety.
What to Bring
What to Wear
Read the weather forecast, but you can pretty much count on hot & dry. And when I say hot, I mean like 40°C (100°F +, for those of you not working in SI units). DEF CON is a highly informal conference – t-shirts and shorts or jeans are probably the “average” attire. If you want to look more professional, you’ll be fine too, unless you wear a suit. Then you’ll stick out like a sore thumb. BSides is approximately the same, Black Hat tends more towards business casual, though you’ll see plenty of t-shirts & jeans here too. Generally, wear whatever your comfortable in in hot weather.
The network at DEF CON has been called the most hostile network in the world, but I suspect that’s a little overblown. That being said, it’s probably a good idea to treat it as highly hostile – better safe than sorry.
At a minimum:
- Backup your data in advance
- Fully patched
- Full disk encryption
- Firewall enabled
- Use a VPN & SSL-enabled sites
- Don’t click past SSL warnings
Other possible considerations:
- Don’t bring sensitive data at all
- Use a different hard drive
- Use a different device
Picking your devices
What electronics you want to bring will depend on what you want to do. Some activities will require a laptop: CTFs, Capture the Packet, Badge Hacking (most likely). If you want to participate in these or something similar, you’ll want to bring a laptop. Otherwise, I’d encourage you to leave the laptop at home, or at least in your hotel room. (Being mindful, of course, of theft and evil maid attacks.)
It’s obviously hard to go without a cell phone, but you may want to consider using a different phone from usual, for several reasons. This would give you the option to give out a number to arrange parties, events, etc., but not have them have your permanent contact information (as can various services) but also protects you against attacks on your devices. (There have been a lot of 3g/4g and mobile attacks lately, so it makes sense to pay attention there.)
Other things to Bring
- Cash: DEF CON tickets are cash-only, and you might want cash for cabs, drinks, etc. I’d recommend against using the ATMs in the immediate vicinty of the cons – you never know who’s found an 0-day or brought a skimmer!
- Notepad and pen: old fashioned note taking is sometimes the best.
There’s a lot of things to do in this week, and I’d like to focus on 3 principle ideas to help in choosing what to do:
- Don’t try to do it all – you just can’t
- Be active, not passive
- Try new things
Obviously, these conferences are best known for their talks and presentations, but I don’t actually consider those the most important reason for attending. I’ll attend a few talks, but since they’re nearly all recorded, I can always see the talks later. Attend talks that are of personal interest, but don’t force yourself to sit in the audience of a talk every hour – that’s being passive, and you won’t get as much out of things.
DEF CON hosts a number of villages each year, housing various demonstrations and activities, including the Lockpicking Village, Wireless Village, Packet Capture Village, and Tamper Evident Village. Each one will have talks and activities focusing on that particular aspect of “hacking”, and are great opportunities to learn something new from people who are extremely passionate about their niche. Some of the things you can try doing:
- Analysis of packets from the network
- Pick locks
- Try to open tamper-evident containers without leaving a trace
- Hunt for hidden wireless devices
The content from the villages is often not available anywhere else, so if you see a topic that you’re interested in, you should definitely pay them a visit.
It’s probably not a secret that there are parties in Las Vegas during this week. Many of these are great opportunities to get to know other security professionals and enthusiasts, discover what people are working on, and generally network. You never know when you might meet your next coworker. :)