For those unfamiliar with the term, Hacker Summer Camp is the combination of DEF CON, Black Hat USA, and BSides Las Vegas that takes place in the hot Las Vegas sun every summer, along with all the associated parties and side events. It’s the largest gathering of hackers, information security professionals and enthusiasts, and has been growing for 25 years. In this post, I’ll present my views on how to get the most out of your 2018 trip to the desert, along with tips & points from some of my friends.

The Panel

Because not everyone enjoys everything the same way, I’ve asked a few of my friends to chime in for this blog post as well. Some are new to the field, and others have been around a lot longer than myself. These are itsc0rg1, illusorycake, dissect0r, fadec0d3, and Anonymous.

The Events

There are 3 main events: DEF CON, Black Hat, and BSides Las Vegas (BSides LV). Along with this, there are dozens of parties (corporate sponsors, DEF CON local groups, etc.) and a number of smaller events like QueerCon and the Diana Initiative.

As in year’s past, Black Hat begins the week with Trainings Saturday-Tuesday and Briefings on Wednesday and Thursday. DEF CON follows up with DC 101 talks on Thursday, and all the events are open Friday-Sunday. BSidesLV overlaps with Black Hat on Tuesday and Wednesday. This means you can’t realistically do all 3 cons – I’ve tried, it really doesn’t work. The closest might be doing BSidesLV on Tuesday, Black Hat Briefings Wednesday and Thursday, then DEF CON Friday through Sunday. It works on paper, but unless you have way more energy than I do, it’ll get you burned out pretty quickly.

DEF CON

DEF CON Logo

DEF CON is the largest and original of the 3 conferences. Founded in 1993, it is one of the longest running Hacker/Computer Security conferences, drawing an estimated 25,000 attendees for DEF CON 25 in 2017. It’s widely speculated that this year’s attendance will hit 30,000, so be ready to meet some new friends. Introverts and those whose dislike crowds will want to make sure to be prepared to take breaks from the masses at DEF CON.

In case you missed the big announcement, DEF CON will be spread across two hotels this year: Caesar’s Palace and the Flamingo. I’m excited about this change, but it does mean more time out in the Las Vegas sun. This seems to be due to the continued growth of the DEF CON “Village” concept, which is very exciting to me – it gives more space for the niche interests within the hacker subculture to come together and explore their specific topics in more depth.

DEF CON Villages are topic-specific areas with presentations and hands-on activities for a small subarea/niche of the larger hacker/security community, like lockpicking or IoT security. If you’re into one of these areas (or want to explore it), the Villages are a great opportunity. Unlike main track talks, Village speakers will often hang around after their talk slot to talk to attendees, so you might get some opportunities to dig into their knowledge. If you’re really into their area of research, offer to buy them a drink – that’s a great way to show appreciation for them sharing their knowledge!

DEF CON has earned the nickname “line con” among some attendees, as it seems like there’s a line for everything. Want to attend a talk? Line up an hour before. Want to get into a village when it opens? Better be lined up. Want to get your badge early on Thursday? Try lining up at 1AM. That being said, you don’t have to do things this way. The talks will end up on YouTube (or buy them even sooner) or you can always hang out in someone’s hotel room and watch them over the hotel cable. Villages are generally accessible if you don’t go first thing.

DEF CON is the most “hacker culture” of the conferences – lots of hackers, very casual, no corporate sponsors. (This also means no free swag, so you might want to check out Black Hat if you’re looking for the free stuff.) DEF CON does have a fairly decent vendor floor – note that these are not vendors of security snake oil, but vendors of cool hacker stuff to sell right there at the conference. (Including a lot of hacker shirts.)

Black Hat Briefings

Black Hat involves both the “Briefings” (talks) and the “Trainings.” Black Hat trainings are generally very high quality, and the ticket price shows it. The briefings are also high quality, but will also eventually end up on YouTube. As a general rule, those attending either briefings or trainings are getting their pass paid for by their employer or self-employed and able to deduct the expense.

Here you’ll find far more attendees in polos or button-up shirts and khakis than in the black t-shirt and jeans of DEF CON. You’ll also find the occasional suit, which I really don’t understand in the Las Vegas heat.

Black Hat has a much larger vendor area than DEF CON, but in this case, I do mean vendors to sell you security snake oil. Every IDS, endpoint security solution, consultancy, and magic appliance vendor will be there. Some of them will have free things for you. Some of them will not. Such is life.

BSides Las Vegas

BSides Las Vegas is a smaller conference (around 3000 people, so still a decent size) and runs more or less in parallel to Black Hat Briefings. BSidesLV was the first BSides security conference, intended to be the “B-Side” to Black Hat. It’s a great option for those looking for more of a community feel or not wanting to pay for a Black Hat pass. It’s a very “chill” environment, not nearly as crazy or pushy as DEF CON, and not corporate like Black Hat.

BSides is small, but still has a lot of high-quality talks from world class researchers and speakers. Many of them will also be presented at one of the other conferences, but will give you a chance to be up close with the speakers and get a chance to interact with them as well.

BSidesLV also hosts epic pool parties with great music and fewer shenanigans than happen at some of the DEF CON parties. Some people have compared BSidesLV today to DEF CON back in the Alexis Park days.

BSides is also home to my favorite educational CTF: Pros vs Joes. It’s a great CTF designed to give players hands on experience with a variety of tools and techniques, and provide an opportunity to do things they might not have done before.

Edit: thanks to dc0de for pointing out that I was missing some of the best parts of BSidesLV.

Ask the Panel: DEF CON, BSides Las Vegas, Black Hat: pick one. Why?

Matir: Hands down DEF CON. It’s one of the few opportunities I get where I feel comfortable being myself and even talking to strangers. There’s a sense of belonging with many of the other attendees, and it’s amazing how passionate everyone is about what they’re working on. Of the three, it’s the one I feel most embodies the hacker spirit and culture.

fadec0d3: Both DEF CON and BSides for the culture.

illusorycake: BSides Las Vegas because it seems easier to get into the interactional aspects of it due to the smaller crowd. DEF CON is a hell of a fun experience but it seems a bit more difficult to understand what all is there to interact with. I stumbled upon really neat stuff both years I’ve been to DEF CON though, so if you can swing both BSides and DEF CON, I’d recommend it. I’ve been to Black Hat once and didn’t really feel compelled to go again.

itsc0rg1: Defcon, I love the villages and the interactions.

dissect0r: I think they all have their pros and cons, and I know many folks that like to do more than one every year. Based on work schedules, etc., I tend to always shoot for DEF CON, but I should mention that I like DEF CON more for catching up with friends and colleagues than solely for the content of the conference talks/tracks. I also think that DEF CON has more variety overall when it comes to topics, vendors, events, and personalities.

Anonymous: DEF CON. Black Hat is too corporate (and pricey) for my tastes, and while BSidesLV can be fun due to its size, DEF CON is just something that everyone should experience, imo. It can be huge and overwhelming but also small and fun.

Travel Logistics

Vegas

If you haven’t already booked your hotel and airfare, there’s no time like the present. Rooms at Caesar’s Palace have dramatically increased in price. The other properties in the area still have decent availability. If you don’t want to pay Caesar’s pricing, Flamingo is a good choice for convenience (since the conference is spreading over there). Alternatively, the rooms at Paris are quite nice, it gets you some distance from the crowds, but is still just across the street. (Though if you’ve never been to Vegas before, note that “across the street” is still likely a 15-20 minute walk from your room to the conference floor.)

I’ve had numerous debates with others about whether or not to stay at the conference hotel. (Caesar’s for DEF CON, Mandalay Bay for Black Hat, or Tuscany for BSidesLV.) I maintain that I like to be able to just drop off stuff I don’t want to carry around, take a short break at times, etc. Others feel that getting more distance between themselves and the conferences is superior. At the end of the day, it comes down to personal preference (and potentially cost, depending on the hotels you’re comparing). I put a full comparison list in my 2016 summer camp guide.

Airfare is already going up as well. Whether or not it will keep going up is a mystery (I don’t think anyone really understands airfare pricing, even the airlines) but it’s probably worth booking now. One of the nice things about Las Vegas is the number of direct flights to get there.

I like to arrive the afternoon before the first thing I’m attending, and depart the morning after the last. While that does add to the hotel stay and the amount of time I’m spending in Las Vegas, arriving the afternoon before allows me to get settled in and be ready to go in the morning, and staying until the morning after ensures I don’t have to leave early for my flight. Additionally, I’ve found it’s a great chance to have a post-con dinner or drinks with new connections (or ones I don’t get to see often enough).

What to Do

The most ubiquituous piece of advice you’ll find about attending DEF CON is to be an active participant and not just sit there and hope to have things happen by osmosis. You absolutely can go and just sit in the talks and listen. I did mostly that at my first DEF CON, and it was good – but it wasn’t great. Participating makes it great.

So what do I mean by participating? It can come in many forms:

  • Go to villages and try hands on activities (soldering, lockpicking, etc.)
  • Meet people and find out what they’re working on
  • Find a group to try one of the contests (Scavenger Hunt, Badge Challenge, etc.)

At DEF CON, in addition to the talks, you have a large number of other activities, so nobody can say there’s nothing they want to do. In fact, I never manage to get to all the things I wanted to.

  • Many Villages
    • Packet Hacking
    • Lockpicking
    • Tamper Evident
    • Crypto and Privacy
    • Wireless
    • IoT
    • Car Hacking
    • Election Hacking
      • More every year (and some I’m sure I’ve forgotten)
  • Vendors willing to take your money
  • Contests
    • Scavenger Hunt
    • Capture the Packet
    • Badge Challenge
    • Beverage Cooling Contraption
    • Hack Fortress
  • Side Events
    • DEF CON Shoot
    • Toxic BBQ
    • Drinking (who knew?)
    • Networking
    • Parties (Official & Unofficial)

I put a big emphasis on the hands on activities. I have seen people demo new tools (DEF CON demo labs), taught kids how to hack (R00tz Asylum), first learned to pick locks (Lockpicking Village), learned about network forensics (Capture the Packet), seen people hack cars (Car Hacking Village) and hacked on IoT devices and voting machines (IoT and Election Hacking villages). I meet up with people I only see once a year and share what we’re both working on, meet friends of friends, and so much more. Every year I spend every waking moment doing stuff and still wish I’d had more time at the end.

I should mention that both DEF CON and BSidesLV have talks that are not recorded: at DEF CON, these are “SkyTalks” and BSidesLV calls them “Underground.” If you see something on the schedule in those areas that interests you, you should go, as it’s likely your only chance to see the relevant talk. Don’t try to record with your phone either: I’ve seen people ejected and phones confiscated for this behavior. These talks are off the record for a reason.

What not to do!

Look, it’s pretty simple: don’t be a dumbass. Please don’t ruin things for others. (It sometimes amazes me DEF CON doesn’t get banned from hotels, but I guess for enough money, the hotels will tolerate quite a bit.) Examples of things you should not do:

  • Get alcohol poisioning and spend your con in the hospital.
  • Do grossly illegal things (Vegas has cameras, or so I hear)
  • Brag about hacks that were a crime (true or not) unless you want to chat with the feds.
  • Harass or assault anyone.

Also, please try not to argue with the DEF CON Goons or the BSidesLV Staff. Most of the time, you’ll look stupid, and they usually have a good reason for what they’re asking you to do. (Crowd control, fire code, etc.)

Ask the Panel: What’s your favorite thing about Hacker Summer Camp?

What’s your favorite thing about Hacker Summer Camp? What can you not miss or just must do?

Matir: The IoT village is one of my favorite places to hang out and meet people with similar interests. I’m also on staff for the Pros vs Joes CTF at BSides Las Vegas, so you’ll find me there during BSidesLV. I’ll also always make the Dual Core performance at DEF CON, and sometimes some of int0x80’s side performances at other events. (I don’t deny it, I’m a bit of a fanboy.)

fadec0d3: Don’t miss the workshops & villages.

itsc0rg1: Conversations / Contests.

dissect0r: I try to swing past every hacker village at least once, but usually several times. Sometimes there are unique and interesting things going on or fun people participating in the village when you least expect it. And I always bring a lot of cash for the vendor area — every year there seems to be a handful of devices that everyone wants, and sometimes stock clears out fast! I always throw down a lot of money on hardware and new gadgets or tools.

Anonymous: My favorite part is learning new things. I try to challenge myself as much as possible to learn something new every year, whether it’s soldering (DEF CON XX), a new attack technique, or starting a new programming language. In many cases it’s not something I use again, but I can at least say I’ve tried it. I absolutely can’t miss the Dual Core performance.

illusorycake: I get really inspired seeing what the community is up to. I’m not at a place in my career yet where I can contribute much, as I’m still learning a lot, but seeing what other folks are working on and the passion that people have for this stuff is fuel to the fire of my own passion for it. As for a thing I must do, definitely spending a bit of time outside of the conference to enjoy some of the Vegas sunshine.

What to Bring

What you should or should not bring with you is also a surprisingly divisive topic. I’ll begin by admitting that I’m a bit of a pack rat and tend to bring everything I could possibly want to have with me. (Ok, maybe not quite that bad, but I still tend to bring far more than necessary.) Others prefer a much more minimalist approach. Both probably work out well for different individuals. (Or maybe I’m quite unreasonable about what I bring.)

If you want to participate in some of the hands-on activities, you may either want or need to bring more specialized equipment. For example, if you want to do hardware hacking, it might be easier to bring your own soldering iron than to try to get into the Hardware Hacking Village when you want. Perhaps you’ll bring your own lockpicks for the Lockpicking Village. (The lockpicks in the village tend to be cheap picks that end up being badly abused during the con, so this can be great if you care about working with better tools.)

Electronics

The DEF CON network is often described as “the most dangerous network in the world”. While I think this overstates the risks (by quite a bit, actually), it makes sense to take precautions and to consider the network a hostile network. (Though you really should think of any network you don’t control as a hostile network.)

Some will suggest that you leave all your electronics at home (or at least in your room) and spend your time doing things that require your in-person presence (meeting people, hands-on activities, etc.). This is not a bad idea, but I think almost everyone will end up carrying at least a cell phone with them, even if only to stay in touch with friends.

When it comes to laptops, there are two questions to be answered: will you bring one with you at all, and if so, will you carry it with you daily?

I think most will end up bringing a laptop. Some might feel comfortable bringing their everyday laptop, and I’ve done that before (after swapping out the SSD for one with an alternate image to protect my data, just in case). This year, however, I’ll be carrying a Chromebook – the Asus C302CA with Crouton installed. If all you need is internet access, a Chromebook offers the highest level of security while on a hostile network. Placing it in developer mode does reduce the security guarantees somewhat, but also allows you to run Crouton, which gives a more or less fully functional Debian Linux chroot. You can also run Debian derivatives like Kali, which is what I do, since I will use the device for CTFs and contests.

If you’re not going to participate in a contest or activity that requires the use of a laptop, I encourage you to leave it in your hotel room safe. (Yes, I acknowledge that carrying it with you is a better mitigation against evil maid attacks, but if you’re that paranoid, you’re probably already aware of that.) There’s no sense in carrying extra weight and hopefully you’ll be spending your time doing interactive things instead of staring at a laptop screen.

Once you’ve decided what you’ll bring, you should take some reasonable steps to secure your electronics.

On all devices, you should setup a VPN service (either commercial or your own) and use it at all times. I’ve used Private Internet Access when travelling, but there are a number of providers with good reputations out there. I even use it over the cellular network because of the rumors of Stingrays and Rogue Cell Towers. (Yes, if the operator of those devices has an 0-day for your baseband, you’re still screwed.) You should also ensure that all devices are using a password for login and lock after going to screensaver/sleep mode.

If you connect to the conference WiFi, connect to the “secure” DEF CON network that uses 802.1x authentication. If you’ve setup the proper certificate, this should make it very difficult for someone to create a rogue AP. This network also does not allow client-to-client traffic, so should be reasonably secure against too much malicious activity. You’ll still want to use the VPN though.

For cell phones, use a phone with the latest Android or iOS build, or bring a burner phone (i.e., one with no data that you care about). Make sure it’s fully patched before you leave home, and don’t accept updates that may appear while at con. Enable device encryption and at least a strong PIN (if not password) to unlock the screen. It is exceedingly unlikely that someone will waste an iOS or Android 0-day to pop random phones while at the conference.

For laptops, the advice is similar. You should be fully patched and enable full-disk encryption. Turn on a software firewall, dropping all incoming connections. Set a BIOS/UEFI administrator password. When it’s not in your posession, at least put it in your room safe. (This is more about theft than about hacking, but it’s a good idea either way.)

Electronic Device Checklist

  • Backup all your data
  • Try not to carry very sensitive data
  • Fully patch your OS and applications (esp. browsers)
  • Use Full-Disk Encryption
  • Enable your firewall
  • Use a VPN
  • Don’t accept updates over hostile networks
  • Don’t click past SSL warnings
  • Consider a separate hard drive or separate device
  • If you leave it unattended, leave it with a trustworthy friend or in your hotel room safe.
  • Turn off interfaces you’re not using (WiFi, Bluetooth, etc.)

Cash

While Black Hat is probably not a problem with only a credit card, DEF CON is certainly a predominantly cash economy. DEF CON badge purchase is cash only, no preregistration, the official DEF CON SWAG area is cash only, and all of the bars at the events are cash only. Most of the vendors will deal mostly in cash (some exclusively) and, of course, Las Vegas as a city still sees a ton of cash flowing through. (Please remember to tip!)

Put simply, you’ll want to bring cash with you. At an absolute minimum, DEF CON badges are $280 this year. Things can quickly add up though if you get swag, buy gadgets, drink a lot, etc. Obviously, it’s better to bring too much cash than too little, as using the ATMs on the casino floor will, at a minimum, carry a hefty fee. At worst, the ATM may be compromised or have a skimmer on it. (Again, this may be a case where DEF CON’s bark is worst than its bite, but it’s still a good idea to be safe.)

Remember that Las Vegas is basically a giant service industry, and the service industry workers expect tips. Anyone who comes into contact with your luggage, delivers something for you, brings you something, etc., is probably expecting a tip. Vegas.com offers a detailed guide.

Food and Drink

You’ll want to eat and drink. Drinking alcohol is optional, but pretty common as well. There’s a wide range of strategies on how to do this depending upon your budget and personal tastes/desires. Attendees on a tight budget can bring a lot with them (energy bars, etc.) or get food at a local grocery store, but Vegas is also home to a number of high quality restaurants, including some that are a great value.

For quick/cheap eats, there’s a number of options:

  1. Close by, both Caesars and Bally’s have food courts with a variety of typical food court fare.
  2. Shake Shack down the strip at New York New York is very popular.
  3. Fremont Street, just a little off the strip, has a number of good budget-friendly options.

Las Vegas buffets can be a good value, but they are often not cheap – you can get a lot for your money, but it’s still quite a bit more than the cheaper venues. On the other hand, buffets can be good for a group because of the sheer variety of food available. The buffet at Caesar’s (Bacchanal) is very good, but also fairly expensive – around $50/person for dinner!

At the upper end, Vegas is home to a number of Michelin Star and celebrity chef restaurants. You can find something to suit any taste. I once had a coworker suggest a restaurant to me with a several-hundred dollar tasting menu. (I’m sure it’s great, but I doubt I have the palette to appreciate it.)

While convenient, I’d skip the food lines setup in a number of the rooms at DEF CON and Black Hat. These provide low-quality food at very high prices. (Think vastly overpriced sandwiches and hot dogs.)

Regardless of how you choose to eat, you must stay hydrated. Las Vegas is both hot and dry, which makes for quick dehydration. Even being inside you may find yourself less hydrated than usual due to the dry air. Bottled water can be expensive, especially if you buy it from the hotel, so many choose to either have some delivered or refill a Camelbak or Sigg-style water bottle. You can also get bottled water at the drugstores and convenience stores on the strip for much less than the hotel will charge you.

I’ve let myself get dehydrated a few times during Hacker Summer Camp, and it really ruins things. Even once you start drinking properly, it will be a day or two before you start feeling right again. In a 4 day event, that’s a long time to feel like crap. For the shorter cons, that’s the entire con!

Speaking of drinking: a lot of drinking goes on at DEF CON, BSidesLV, and the associated parties. I’ve found a good way to help avoid a hangover is one drink (cup/glass/bottle) of water to each alcoholic drink I go through. I’m not sure if it slows my intake of alcohol or just keeps me more hydrated to avoid the hangover, but it does work.

If you’re drinking on a budget, try to get yourself invited to sponsored parties/events with open bars. I’ve also heard some people carry flasks, but I don’t know how well that works out. The bars setup within the con space are going to serve mainstream drinks for hotel prices (think $6 for Bud Light and $8 for house/well liquor). If you’re at BSidesLV or want to travel over to Tuscany, Pub 365 has a great selection (365 beers!) and is pretty reasonably priced, with many craft beers for $5-6 each. The food at Pub 365 is solid as well.

My personal favorite food and drink venues in Vegas:

  • Pub 365 at Tuscany for the Craft Beer selection, solid food, and decent atmosphere. Busy during BSidesLV, quiet the rest of the week.
  • Gordon Ramsay Pub & Grill at Caesar’s Palace has good service and excellent food. A little overpriced to go with the celebrity name, but not over the top.
  • The Buffet at Wynn for a buffet and a break from the conference hotels. On the expensive end for buffets, but the food is absolutely top notch and the pastries in the dessert section are the best.
  • Shake Shack is one of my wife’s favorites, and she introduced me to it last year. Solid burger, great shakes, and quick to boot. The burger here was better than Gordon Ramsay Burger at Planet Hollywood.
  • Carnegie Deli at the Mirage has solid deli-style food. The sandwiches are expensive for a sandwich, but big enough to split or to have for two meals. Seriously. (Even for a big guy like me!)

Other Supplies

Clothing should be pretty obvious, and you can count on August in Las Vegas being hot. Depending on which events you are attending, the social conventions of dress code may vary somewhat. For example, at both BSidesLV and DEF CON, the “norm” is a t-shirt and shorts or jeans. Black Hat will be a mix of t-shirts and polos with jeans or khakis. (And yes, some button-down shirts and suits too.) Of the three, Black Hat probably has the most information communicated by what someone is wearing. You can usually spot upper management, middle management, and engineers on sight.

If you’re planning to go to parties held at any of the Vegas clubs, you’ll probably need to plan for their dress codes. Most of the clubs will enforce their code after a certain time, and at a minimum men will want nice jeans (not torn/ripped and no shorts) and a collared shirt. I won’t begin to pretend to know enough about women’s fashion to say anything there, but just understand the clubs will be enforcing dress codes in the evenings.

On the other end of the spectrum, there are also pool parties at BSidesLV and Queercon. If you want to attend these, you should probably bring a swimsuit. Or, you know, shorts you don’t mind getting wet.

You should also bring some aspirin or ibuprofen (“Advil” or “Motrin”), I don’t suggest paracetamol (“Tylenol”) because you’ll probably be drinking a bit, and your liver won’t like the combination. (Note: I’m not a doctor and this isn’t medical advice, but you should probably keep that in mind.)

As to everyday carry, we’ve already covered the cell phone everyone will be carrying, and the water bottle everyone should be carrying. I also suggest carrying a backup USB battery (even a small one) for your phone, your cash, and hotel keycard. Some also like notebooks or other ways to take notes during talks or when meeting people.

Note that, according to the every-other-year electronic badge philosophy announced by Dark Tangent, DEF CON 26 should have an electronic badge. So if you’re into badge hacking, you might want to bring the appropriate tools. At a minimum, I’d suggest some sort of universal interface like a Bus Pirate, an FT232H breakout board, or the FTDI FT232H cable. The FTDI cable probably has the best form factor to bring with you to the con. If you’re not familiar with these tools, my IoT Hacker’s Toolkit talk from BSidesSF has more details.

Ask the Panel: What do you carry with you at the cons?

Matir: Entirely too much. I carry a cell phone, my Skeletool, cash, an Anker Powercore battery, hotel room key, a small Moleskine notebook, business cards, and a steel-barreled pen. I carry it all in a Timbuk2 backpack specifically chosen to not be too big – it forces me to make decisions about what I carry, and prevents me from just taking everything with me. This year I’ll be adding an aluminum water bottle to stay hydrated and a cooling towel to help stay cool in the Las Vegas sun. I bring enough cash for the whole week so I don’t have to deal with ATM fees or the risk of skimmers. (Las Vegas is popular for ATM skimmers, this isn’t something unique to Hacker Summer Camp.)

illusorycake: A laptop with my favorite Linux distro on it, water(s), relevant power cords, a notebook or two, a few pens, chapstick, ibuprofen, cash, ID, and all the swag I can find and fit in whatever bag I have with me. If you’re looking for a new t-shirt wardrobe, you can easily obtain it at Hacker Summer Camp. One addition I’ll be making to my bag this year is a portable soldering iron so I can solder in a peaceful place and at my own pace.

fadec0d3: Bring a (lightweight) burner laptop you’re comfortable with using.

itsC0rg1: Deodorant, a water bottle and protein bars.

dissect0r: Backpack with the necessities (laptop, chargers, lock picks, etc.), extra cash, snacks, hydration.

Anonymous: A backpack of some sort. (I’m not picky which one.) A portable computer I can wipe. (Specifically a Lenovo 11e with an upgraded SSD running Kali Linux.) A small soldering kit. A kit of electronics tools. My con phone (not so much a burner as simply a phone, like the aforementioned laptop, that I can easily wipe once home). In the hotel room, I might also have things like more electronics parts, etc. mainly in anticipation of a contest or badge that I can play around with.

Packing Checklist

This is just to get you started, and you’ll need much more, but hopefully it has some good reminders.

  • Clothes for hot Vegas days.
  • Clothes for parties in semi-hot Vegas nights.
  • Secured Cell Phone
  • (Optional, but common) Secured Laptop
  • Notebook/Pen
  • Business/Personal Cards (I have cards I give to people I meet in contexts not related to my employer.)
  • Cash for DEF CON Ticket, Drinks, Tips, Gaming, etc.
  • Deodorant
  • (Optional, but common) Tools for Hacking
  • RFID blocking sleeves

First Timers

If this happens to be your first Hacker Summer Camp, it’s pretty easy to be overwhelmed by it all. Actually, even if it’s not your first time, it’s pretty easy to be overwhelmed by it all.

If you haven’t seen it before, you might want to check out the DEF CON Documentary produced by Jason Scott (@textfiles). While it’s a very small slice of DEF CON, it’s still well produced and a very interesting watch.

3-2-1 Rule

If you attend the DEF CON 101 session, you’ll hear about the 3-2-1 rule, but I think it’s so important, that it bears repeating here. At an absolute minimum, you should get 3 hours of sleep, 2 meals, and 1 shower each day. This rule is both for your own safety and the comfort of others. (I wonder if they should add a “4” for “4 liters of water”.)

On behalf of fellow attendees, the shower is the most important part of that rule. Because of the heat and the walking, I will tend to end up taking 2 showers every day: one in the morning to wake me up, and one just before dinner, because I don’t want to smell at dinner. One of my friends said she was going to bring travel sized deodorants for other attendees, and she wasn’t kidding. Please don’t be that person. (In case you’re unaware, “body sprays” like Axe are not a deodorant. Then you just smell like sweat and cheap body spray.)

Manage Your Energy

I’ve definitely mentioned this before, but it bears repeating. Even if you’re only going to a single con of the week, it’s a long event with long days, and it’s in a hot climate. If you try to do everything, you’ll just end up feeling like crap or burning yourself out. Manage your energy as you go, and if you need to take a break, take it! I know FOMO (fear of missing out) is a thing, but if you burn yourself out too far, you’ll miss out on a lot more than a short break.

Taking a break also doesn’t mean you have to completely stop doing anything con related. There are some ways to recover your energy while still having a good time and doing things:

  • Grab a (new) friend and head to one of the quieter bars for a drink and to catch up.
  • If you’re staying onsite or at one of the other Caesar’s properties with the talks on TV, head to your room and watch a talk.
  • If you know someone from one of the groups that has a suite, head up there to hang out. They tend to be a lot quieter and more chill than the con floor.
  • If you or someone you know has brought electronic gear with them, find a quiet place to work on the electronic badge (or #badgelife).

You should also be prepared to walk a lot. I know, a lot of us hackers are far more used to sitting in front of the comforting glow of a few LCDs, but even within the hotels, you’ll be walking a lot between areas. So wear comfortable shoes and be ready for the hot Vegas sun to make you sweat, a lot.

Plan Ahead

You should do some amount of planning ahead for con. I failed miserably at this my first time, and it could have been so much better if I hadn’t.

I’m not saying you should make a minute-by-minute (or even hour-by-hour) plan. But you should have an idea of what’s available to do, what your top goals are, and what is located where.

For example, you might want to take a look at the Caesar’s property map and the conference area floor plans to get an idea of what is where and where you might be going. You can look at last year’s DEF CON Program to get an idea of how the layout might look, but DEF CON tends to reimagine how the space gets used year to year based on the evolution of the conference and the lessons learned from the previous year, so don’t count on it being the same.

Likewise, as the event and talk schedules get released, you might want to look at them and start making a list of things you “must do”. (Again, recall that talks will be placed online, so unless you feel like it’s particularly timely for you, I suggest focusing on the things you can only do “in person”.) This can be very useful for your evening plans such as parties and musical performances. You can follow @defconparties on Twitter for all the Hacker Summer Camp party information. (Don’t let the name confuse you, they cover all the parties of the week.)

Physical Safety

Keep on eye on what’s on around you. I personally find the cons to be far more safe than Vegas streets, but that’s not to say there isn’t someone who wants to take advantage of you at the cons either. Just like you should in any busy public place or major city:

  • Keep your wallet in a front pocket
  • Don’t make your electronics easy to grab
  • Don’t leave your valuables unattended even for a brief minute (better to lose your seat than to lose your electronics)
  • If somebody on the street gets into your personal space, odds are they’re up to something.

Ask the Panel: What’s one thing you wish you knew before your first DEF CON?

Matir: I should have been ready to do more than just go to talks and parties. Being ready for competitions, being ready to be more social, having a better plan. If you don’t know all the things that are going on, it’s so easy to become frozen and overwhelmed by it all.

illusorycake: I wish I had known the scope of DEF CON. There are lots of different things going on: talks, villages, smaller conferences/events that overlap DEF CON, etc. It can be overwhelming to even simply just know what is available for you to do. I recommend talking to folks who have been before and asking them questions about anything that’s confusing once you have a schedule/agenda in front of you to reference.

fadec0d3: Don’t worry about missing lectures, they’re recorded.

itsC0rg1: Taking breaks is important, crowds are a bit overwhelming.

dissect0r: I tell newcomers not to be too rigid about their scheduling expectations, don’t expect to make it to every exciting talk you want to see. Sometimes the lines are staggering, and standing room only is not always a fun way learn new things. I expect to catch some of those epic talks later online or from the recordings. Be flexible, don’t be afraid to break from your expected schedule to grab a drink with some new friends, and definitely bring some extra cash to blow on vendor wares!

Anonymous: That not sleeping is ok but you still need to sleep.

Bonus Panel Question: What’s your best Hacker Summer Camp memory?

Matir: Dual Core performing at The Summit (an EFF fundraiser party) at DEF CON 20. It was an incredible show, and I really got into it, plus the party had great people and great drinks. There are so many runners up: hanging out with one of my best friends until early in the morning, a 2nd place finish in Capture the Packet, and getting a bright red mohawk for mohawkcon.

illusorycake: Pros vs Joes at BSides Las Vegas. If you’re looking for a practical experience of what it’s like to be a security engineer, this is the CTF for you.

fadec0d3: Accidentally overloading the electronic badge which broadcast to the radio, and ripping apart someone’s phone in the name of science to pick up IR visually for the electronic badge challenge.

itsC0rg1: A Goon handing me a bunch of free stickers when I was nearly collapsed from exhaustion.

dissect0r: There are a bunch, I don’t want to limit myself to just one. Some of my fondest memories are: meeting heroes in the security space — this brings a sense of realism to meet some of these people you admire online. Catching up with good friends that you don’t see near often enough. And learning new tricks and hacks that you didn’t know before.

Anonymous: Hanging out late at night working on some random contest. DEF CON can be such a nice blend of social and hacking, which is something we don’t always get to do if we don’t have access to a hackerspace and spend most of our time at home working on things. I’ve hatched so many plans and schemes and learned so much just sitting in the con area chatting late at night.

Summary

I hope this has been at least a little bit useful to you, or at least a good reminder of good times at Hacker Summer Camp. Feel free to share or hit me up on Twitter if you have ideas or suggestions for things I should have covered. This is the 3rd year in a row I’ve written such a guide, and you can find my 2017 guide here, and my 2016 guide in two parts here and here.

I suggest also checking out the Defcon for N00bs guide for other advice and another take on preparing for con.

Finally, a big thanks to illusorycake, fadec0d3, itsC0rg1, dissect0r, and Anonymous for contributing their thoughts. You all are great friends and hackers. I owe each of you a drink (or several) at Hacker Summer Camp this year.

FAQ

Are you paranoid?

Yes, I’m a professional paranoid. Everyone in this industry is, if they’ve been around long enough. In particular, I’m paid to simulate attackers, so I see everything as an opportunity to hack.

Will I get hacked at the cons?

Probably not, if you prepare well and aren’t stupid about it. But if you use open wifi with no protection, well, you’ll probably find out just how trivial such attacks are.

Should I go to talks?

Some people have interpreted my view on talks as “don’t go to talks, they’re a waste of time”, and that couldn’t be further from the truth. I think the talks are great, but unless it’s a talk that won’t be recorded, or is particularly relevant to you, I generally choose to do something requiring my physical presence at that time instead of sitting in a room listening to the talk. (And spending time lining up before the talk to even get into the room.)