Every year, I try to distill some of the changes, events, and information surrounding the big week of computer security conferences in Las Vegas. This week, including Black Hat, BSides Las Vegas, and DEF CON, is what some refer to as “Hacker Summer Camp” and is likely the largest gathering of computer security professionals and hackers each year.

The Conferences

In my mind, there is a spectrum of conferences in the realm of hacking and computer security. They range from pure hacker conferences to security industry tradeshows. I have a strong preference for the pure hacker conferences, but I realize that not everyone agrees with me. It may, however, color my opinions of the 3 conferences in Las Vegas during Hacker Summer Camp.

Hacker conferences are all about showing off cool technical tricks, and not all of them need to be security related – see the beverage cooling contraption contest at DEF CON. You’ll find most attendees in black t-shirts and jeans or shorts, with the occasional utilikilt. (Yes, it’s a stereotype, but that doesn’t mean it’s not true.) You’ll find people who are excited about whatever they’re working on and willing to share it with you just because they want to share. You’ll find those where hacking is something that just comes naturally, and if they’re lucky, they’ve turned it into a way to pay the bills too. The vendor area, if any, is full of vendors selling esoteric electronics, lockpicks, and more black t-shirts.

At the other end of the spectrum, you have events that are run by companies, for companies. The vendor area becomes a central focus, with lots of companies wanting to sell you “turnkey solutions”, and wanting to scan your badge to collect your information for later mailing. The average dress code here is polo shirt and khakis, but if you’re in management, the blazer may make an appearance as well. The first question is “where do you work?” not “what do you do?”

One (to me) key difference is in the badge. While hacker cons have trended towards interesting badges (electronic, laser cut, etc.), what really sets them apart is whether badges carry identification. Hacker con badges are merely admission to the event, and every one is identical, so don’t lose it! (Excluding special badges for press, speakers, “Goons”, etc.) At security industry conferences, your name (and often your employer) are proudly displayed for everyone to see. Anonymity is a non-goal at these events.

If you plan to do more than one of the conferences, keep in mind how long you will be in Las Vegas as a result. I’ve once done 4 days of training at Black Hat, followed by Black Hat briefings, followed by DEF CON. (And a company event in between!) This resulted in an 11 day stay in Las Vegas, which is way too long for my personal tolerance. Even without the heat, the 24/7 nature of the Vegas strip just really pushed me mentally, so consider your personal capacity for such a city.

DEF CON

DEF CON is the conference that started it all. Since 1993, Dark Tangent has been bringing hackers together to hang out in the Las Vegas summer. DEF CON is also, by far, the largest of the 3 conferences, with somewhere upwards of 20,000 attendees. Nearly every talk will be completely packed, with many forming a line as long as an hour in advance. Elevators will be crowded, hallways will be crowded, and it will be crazy – and I love every minute of it!

For me, the best part of DEF CON are the villages. These are specialized areas providing an opportunity for individuals with particular interests to get together and focus on that area of hacking. Examples of villages include the IoT village (where I had the privilege to speak last year), the lockpicking village, the tamper-evident village, the packet capture village, and many, many more. Last year there were so many villages I didn’t even get a chance to see them all.

Many of the villages offer hands-on activities, which are some of the best opportunities at DEF CON. For example, the Packet Capture village has “Capture the Packet”, a network forensics challenge, the IoT village has an IoT CTF, the lockpicking village has hands-on lockpicking, and the soldering skills village has soldering irons set up along with kits to practice – or even challenge – your soldering skills. These are just a few of the ways you can get hands-on practice in specialized security or hacking domains directly from some of the most passionate individuals in those specializations.

DEF CON is also at a reasonably accessible price – it looks like badges will cost $300 this year. For 4 days of content, it’s really quite worth it. Note that badge purchases are cash only, so don’t forget to bring at least that.

If you haven’t seen it, there’s even a documentary about DEF CON.

Black Hat

Black Hat was the second of the conferences to be founded. Like DEF CON, it was founded by the Dark Tangent, but he eventually sold it off to a commercial conference organizer (United Business Media) that continues to run it today. Black Hat is the straight edge cousin to DEF CON – it is significantly closer to the “security industry” end of my conference spectrum. While the talks deliver high-quality content, there are not nearly as many “side opportunities” as presented at DEF CON.

On the other hand, Black Hat offers some of the premiere training opportunities each year. There are dozens of courses being offered, with a wide range of topics, from incident response to red teaming to ARM exploitation.

The quality of Black Hat will set you back a bit – briefing passes are from $2295 to $2895 depending on when you register, and trainings run from $3600 to $5600.

BSides Las Vegas

BSides Las Vegas, the first of the “Security BSides” conferences, is a smaller event that completely takes over the Tuscany Hotel & Casino for 2 days. It’s definitely a hacker event, but less chaotic than DEF CON. In years past, it’s also been the most approachable event with free tickets at the door.

Unfortunately, this year the free badge train has ended. Lines were forming hours in advance with many, many, people being disappointed due to not getting a badge after spending hours waiting. Consequently, badges are available via sponsorship (individual or corporate), participation (speaking/volunteering), or booking a room in their room block. Of these options, I believe only participation remains to get a badge if you don’t have one yet. Check out the CFP or the call for volunteers. (Pro tip: volunteering for a hacker conference also introduces you to a number of great people in the space, which can be an excellent networking opportunity.)

The talks are high quality and many are used as a dry run for other conferences, or are the kind of talk that just barely didn’t make it. Sometimes they’re just too niche. One of my favorite features is that some speakers (“Proving Ground”) are new speakers who have been paired with a mentor to help them present their original research. This is a great opportunity to support new speakers, find topics that haven’t been covered before, and get some face to face time with the speaker after the talk.

BSides Las Vegas is also home to the Pros v Joes CTF, a unique CTF that provides both red team and blue team experiences in a highly-immersive environment. Unlike many CTFs, the 3 priorities for PvJ are:

  1. Education
  2. Fun
  3. Winning

Competition comes in third behind learning and having a good time. For those new to the industry or looking to expand their skillset, I can’t recommend a better free way to build those skills. (Full disclaimer: I’m a member of the PvJ staff after being a multi-year player.)

If you’re interested, check out the website, my Blue Team Player’s Guide, or my post on the evolution of the Blue Teams. Sign up is open now for both Pros and Joes.

Other Events

Queercon

Queercon is another event associated with DEF CON for the last 16 years. Queercon started as a hacker party for the LGBTQ at DEF CON but has grown into much more than that, with multiple parties, talks about diversity and inclusion in the IT security and hacker communities, and even a social network of LGBTQ hackers. This year, Queercon will be taking over the Alexis Park, the original home of DEF CON.

Queercon’s pool party is consistently one of the best events for the LGBTQ crowd and allies and it’s a great organization to support the growth of diversity in an otherwise fairly vanilla community. Queercon will be providing a shuttle between the AP and Bally’s, so you can get back and forth without a hassle.

DEF CON Shoot

The DEF CON Shoot is an unofficial DEF CON event for sport shooting fans associated with the conferences. To quote their own website:

The DEF CON Shoot is a public event that happens just prior to the DEF CON hacker conference in Las Vegas, Nevada. It is an opportunity to see and possibly shoot some of the guns belonging to your friends while taking pride in showing and firing your own steel, as well, in a relaxed and welcoming atmosphere. Unlike many large shooting events, however, the DEF CON Shoot doesn’t typically take place at an established, brick-and-mortar gun range. Instead, we roll our own, so-to-speak.

Maybe you have a favorite chef in your hometown who is adventurous and will rent out abandoned space for a pop-up restaurant that only lasts one weekend or maybe you’ve attended an off-book beer garden on the edge of a city street one afternoon. The DEF CON Shoot has historically been like that. We rent tables, canopies, and I bring all the necessary safety equipment and amenities… and we have ourselves a pop-up gun range out on open land in the Nevada desert. It’s a hackers’ firing line that exists for only one day every year, then when the guns fall silent it vanishes again… not to be seen for another 364 days.

This event used to take place on Thursday, but has no moved to Wednesday to allow hackers taking part in the shoot to enjoy the Thursday events. If you participate – please remember, safety first and no drinking and shooting! Remember the 4 rules of firearms safety at all times.

Parties

I wouldn’t be doing the week justice if I didn’t mention that there are a few parties in Las Vegas associated with these conferences. DEF CON has probably the biggest party scene, but Black Hat has its fair share as well. DEF CON parties, like the conference itself, tend to be more community oriented, while Black Hat events have big name corporate sponsorship behind a lot of them. Some of the events really go all out, taking over top-tier nightclubs or other prime venues.

Where to Stay

As usual, there are generally two schools of thought on where to stay: either at one of the con hotels, or off-site. Both have Pros and Cons, and I’ll break out some of the more common considerations below. Neither option is “right” or “wrong” and it often comes down to whether or not you want to be as immersed in the culture of the event as possible, or want to have a break from it by going back to your offsite hotel.

Staying at the Con Hotels

Pros:

  • Easy to quickly drop things off/grab things in your room.
  • Talks are streamed to the hotel rooms (roomcon)
  • No long walks/cab lines in the heat to get to your room

For BSides Las Vegas, an additional pair of pros includes the two badges for the conference as well as the fact that the entire hotel is reserved for BSides attendees (during the conference) so you get to hang with like-minded hackers.

Cons:

  • Usually more expensive, unless booked very early.
  • Elevators are often overcrowded.

For DEF CON, there’s the added con of Caesar’s history of “health and welfare checks” (see below). If you decide to go this route, don’t forget to check the official room block, but also check the public rates – I’ve seen them cheaper than the room block!

Staying Offsite

Pros:

  • Cheaper hotels available (or AirBnB)
  • More options (loyalty points, etc.)
  • Quieter hotels/less shenanigans

Cons:

  • Need to go back and forth to the cons

Admittedly, the pros/cons of staying offsite are nearly the inverse of the staying onsite, so it’s very much a matter of prioritizing for you.

Caesar’s Properties and “Health and Welfare Checks”

Note that there were a lot of issues regarding Caesar’s Entertainment Group employees (and potentially impostors) entering guest rooms last year. Caesar’s maintains that these room checks will be conducted by security and are necessary for guest safety. While this is highly debateable (largely security theater as a result of the Vegas shooter), and many in the security community (including myself) consider these checks an invasion of personal privacy, it appears they will be continuing these checks. DEF CON links to this Caesar’s room check policy FAQ. Please note that all three of the hotels where DEF CON is being held this year (Paris, Bally’s, and Planet Hollywood) are members of the Caesar’s Entertainment Group, so I would expect the same behavior at those locations. If you want to ensure your room stays secure when occupied, you could consider a Veritas Traveller’s Doorstop as recommended by Deviant Ollam.

I would also consider putting anything valuable in hard-sided luggage and locking the luggage. It keeps it out of sight, and requires someone either overtly destroys the luggage or steals the entire thing, either of which is significantly more obvious than just grabbing something. I’m likely going to get a Pelican 1510 or similar for my electronics. That would require a dramatic entry or is likely to be caught on security cameras if taken by an employee. (There are, of course, no guarantees.)

If you completely want to avoid this, I would check that your alternative hotel has no such policy. Many of the Casino-hotels have gone this way, so you might want to consider a non-Casino venue, such as the Hilton Grand Vacations, the Westin Las Vegas, or Marriott’s Grand Chateau. As of writing, I could not find any information about a “health and welfare” check for any of them, but if you’re concerned, I would consider calling and checking in advance.

Saving Money

If you’re not lucky enough to have your employer bankrolling your Hacker Summer Camp trip, you probably want to save some dough. Despite it’s reputation, Vegas can be a relatively affordable city. Here are some tips I’ve either used myself or picked up from friends or online.

Conference Badges

Unfortunately, I don’t have great tips for reducing the cost of conference badges. If you’re budget-conscious, then Black Hat is almost certainly out of the question. While I’m aware of some people sharing a badge for DEF CON, I’d encourage you to look for savings elsewhere first, as you’re missing out on a lot if you’re only able to go for a chunk of the time. For BSides Las Vegas, volunteering is by far the best way to save some green – you’ll get a badge for free for 12 hours of volunteering, and it will allow you to contribute back.

Travel

If you’re planning to fly, CheapAir.com says the best time to book is anywhere from 21 to 120 days in advance. Considering that I’m writing this 98 days before DEF CON begins, that window is already open, so it’s probably time to begin looking at airfare. If you live in an area with multiple airports, such as LA, the SF Bay Area, New York, etc., make sure you check them all. I like to use Google Flight Search to look at multiple dates, airports, and airlines. (Why multiple dates when the conferences are fixed days? You could stay in a $60/night room at Linq if the flight the next day is a $100 cheaper.)

Also, if you live close enough and really want to save, consider driving, especially if you do it as part of a group of friends. 3 or 4 people in a car can be considerably cheaper than flying, and you get the road trip experience (which can either be a pro or a con, depending on who you road trip with). If you don’t know anyone locally, consider looking for a DEF CON Group in your area, or checking out the /r/defcon ride and room share thread. Do note that some of the hotels now charge for self-parking, so that’s another issue to take into account.

Hotel

Much like travel, many of the ways to save money for your hotel seem kind of obvious, but they’re all worth checking. If looking to stay at one of the con hotels, make sure you check the group rate. (DEF CON, Black Hat, BSides LV is sold out) Also check both directly with the hotel and with 3rd party booking sites like Hotels.com and others. Don’t forget to check out AirBnB as well.

If you stay beyond walking distance from the conference, don’t forget to add in the cost of an Uber, Lyft, or Taxi ride, or a rental car as appropriate. If you’re on the strip, there is a bus available from 7am to 2am for $8/day. It is supposed to run about every 15 minutes with stops roughly every (long) block or so. Keep in mind that Las Vegas blocks are very long, that the hotels are set back from the road in a lot of cases, and that it will be August in the desert – it’s going to be hot.

Obviously, sharing a room helps to split costs.

Food

Food is probably the area that gives you the best opportunities for money savings. Las Vegas has a full spectrum of food options, ranging from Michelin-starred venues like Joel Rubochon right down to In-N-Out Burger. Some con attendees even go off-strip to a grocery store and get food, but if you want to stay close by and eat at some nice restaurants, here’s a few suggestions:

  • Carnegie Deli (At the Mirage, not super cheap, but the portions are huge)
  • Shake Shack
  • In-N-Out Burger (Probably one of the cheapest options near the strip)
  • Planet Hollywood (one of the DEF CON hotels) has an entire indoor mall-like area with many fast food options.

Also note that while buffets sound like a good option, the on-strip buffets tend to be very expensive. On other hand, you can find cheap, plentiful food at buffets just off the strip.

Conclusion

Closer to the conferences, I’ll put out a preview of specific talks and events to look forward to, as well as newbie guides to some of the events, personal safety tips, and packing information. I’ll also put together a list of things I’m bringing to make the conferences more fun or just make my time in Vegas less painful.

One more thing – my weather prediction for this year is “Hot AF.” Plan accordingly.

Resources

Here are some other resources for finding out more: