Hacker Summer Camp 2017: Lessons Learned07 Aug 2017 in Security
In addition to taking stock of how things went at Hacker Summer Camp, I think it’s important to examine the lessons learned from the event. Some of these lessons will be introspective and reflect on myself and my career, but I think it’s important to share these to encourage others to also reflect on what they want and where they’re going.
It’s still incredibly important to me to be doing hands-on technical work. I do a lot of other things, and they may have significant impact, but I can’t imagine taking a purely leadership/organizational role. I wouldn’t be happy, and unhappy people are not productive people. Finding vulnerabilities, doing technical research, building tools, are all areas that make me excited to be in this field and to continue to be in this field.
I saw so many highly-technical projects presented and demoed, and these were all the ones that made me excited to still be in this field. The IoT village, in particular, showed a rapidly-evolving highly technical area of security with many challenges left to be solved:
- How do you configure devices that lack a user interface?
- How do you update devices that users expect to run 24/7?
- How do you build security into a device that users expect to be dirt cheap?
- What are the tradeoffs between Bluetooth, WiFi, 802.15.4, and other radio techs?
Between these questions and my love of playing with hardware (my CS concentration was in embedded systems), it’s obvious why I’ve at least slightly gravitated towards IoT/embedded security.
This brings me to my next insight: I’m still very much a generalist. I’ve always felt that being a generalist has hamstrung me from working on cool things, but I’m beginning to think the only thing hamstringing me is me. Now I just need to get over the notion that 0x20 is too old of an age for cool security/vulnerability research. I’m focusing on IoT and I’ve managed to exclude certain areas of security in the interests of time management: for as fascinating as DFIR is, I’m not actively pursuing anything in that space because it turns out time is a finite quantity and spreading it too thin means getting nowhere with anything.
Outwardly, I’m happy that BSidesLV and DEF CON both appear to have had an increasingly diverse attendance, though I have no idea how accurate the numbers are given their methodology. (To be fair, I’m super happy someone is trying to even to figure this out in the chaos that is hacker summer camp.) The industry, and the conferences, may never hit a 50/50 gender split, but I think that’s okay if we can get to a point where we build an inclusive meritocracy of an environment. Ensuring that women, LGBTQ, and minorities who want to get into this industry can do so and feel included when they do is critical to our success. I’m a firm believer that the best security professionals draw from their life background when designing solutions, and having a diverse set of life backgrounds ensures a diverse set of solutions. Different experiences and different viewpoints avoids groupthink, so I’m very hopeful to see those numbers continue to rise each year.
I have zero data to back this up, but observationally, it seemed that more attendees brought their kids with them to hacker summer camp. I love this: inspiring the next generation of hackers, showing them that technology can be used to do cool things, and that it’s never too early to start learning about it will benefit both them (excel in the workforce, even if they take the hacker mindset to another industry) and society (more creative/critical thinkers, better understanding of future tech, and hopefully keeping them on the white hat side). I don’t know how much of this is a sign of the maturing industry (more hackers have kids now), more parents feel that it’s important to expose their kids to this community, or maybe just a result of the different layout of Caesar’s, leading to bad observations.
There were a few things from my packing list this year that turned out to be really useful. I’m going to try to do an updated planning post pair (e.g., one far out and one shortly before con) for next year, but there’s a few things I really thought were useful and so I’ll highlight them here.
- An evaporative cooling towel really helps with the Vegas heat. It’s super lightweight and takes virtually no space. Dry, its useful as a normal towel, but if you wet it slightly, the evaporating water actually cools off the towel (and you). Awesome for 108 degree weather.
- An aluminum water bottle would’ve been nice. Again, fight the dehydration. In the con space, there’s lots of water dispensers with at least filtered water (Vegas tap water is terrible) plus the SIGG bottles are nice because you can use a carabiner to strap it to your bag. I like the aluminum better than a polycarbonate (aka Nalgene) because it won’t crack no matter how you abuse it. (Ok, maybe it’s possible to crack aluminum, but this isn’t the Hydraulic Press Channel.)
- RFID sleeves. I mentioned these before. Yes, my room key was based on some RFID/proximity technology. Yes, a proxmark can clone it. Yes, I wanted to avoid that happening without my knowing.
For some reason, I didn’t get a chance to break out a lot of the hacking gear I brought with me, but I’ll probably continue to bring it to cons “just in case”. I’m usually checking a bag anyway, so a few pounds of gear is a better option than regretting it if I want to do something.
That concludes my Hacker Summer Camp blog series for this year. I hope it’s been useful, entertaining, or both. Agree with something I said? Disagree? Hit me up on Twitter or find me via other means of communications. :)