In February, I wrote a guide to planning travel for BSides, Black Hat, and DEF
CON, occasionally referred
to as “Hacker Summer Camp.” In my original post, I promised an update with
information about your actual travels to BSides, Black Hat, and DEF CON: what to
bring, what to do, and how best to stay out of trouble. This is my best advice
on that, but I’m sure others have differing opinions.
Health and Safety
I discussed the idea of managing your energy in the first post, but I can’t
stress enough how important that is. Las Vegas is hot, there’s a lot going on,
and so it’s easy to not realize how much you’ve burned yourself out. Take your
time and don’t try to do everything – it’s not possible and you’ll make
yourself sick in the process.
DEF CON 101 attendees will hear about the “3-2-1” rule. No, it’s not some new
variation on the TSA’s 3-1-1 rule, it’s the guideline for personal survival at
DEF CON: 3 hours of sleep, 2 meals, and 1 shower. Per day. Every day.
Please follow at least this! Many days you may want to shower more than once,
and I’d strongly encourage that – you’ll be packed into rooms with 15,000 of
your (soon to be) closest friends, and there’s nothing that will make it harder
to network and meet people than smelling like a gym with no ventilation. So I
will also add: use deodorant. If you start to smell, take a shower, don’t just
try to cover it up with some kind of body spray. Body spray just means you
smell like sweat and some $4.99 crap you got from the checkout register.
This is a good time to mention hydration: it’s Las Vegas, which means it will be
dry and hot, which is the recipe for dehydration. So is moving around a lot.
So you need to always be drinking, and I don’t just mean Beer, Gin & Tonic, or
Vodka & Red Bull. Drink lots of water. If at any point you get headaches,
nauseated, or generally feel like crap, odds are you’re dehydrated and water
will help. Money saving tip: if you want bottled water, buy water from
a drugstore or convenience
store on the strip (or if you’re driving, bring it with you). It will be
much cheaper than buying it in any of the hotels.
Finally, a word about physical safety: keep your wits about you. DEF CON gets
attendees of all sorts, and you’re in Las Vegas, a city known for clueless
tourists, so there’s plenty of opportunity for thieves and other criminals.
Know where your stuff is at all times, and don’t leave it unattended. Don’t
look like a conference attendee outside the hotel, and if you’re out very late
at night, being with others will help ensure your safety.
What to Bring
What to Wear
Read the weather forecast, but you can pretty much count on hot & dry. And when
I say hot, I mean like 40°C (100°F +, for those of you not working in SI
units). DEF CON is a highly informal conference – t-shirts and shorts or
jeans are probably the “average” attire. If you want to look more professional,
you’ll be fine too, unless you wear a suit. Then you’ll stick out like a sore
thumb. BSides is approximately the same, Black Hat tends more towards business
casual, though you’ll see plenty of t-shirts & jeans here too. Generally, wear
whatever your comfortable in in hot weather.
The network at DEF CON has been called the most hostile network in the world,
but I suspect that’s a little overblown. That being said, it’s probably a good
idea to treat it as highly hostile – better safe than sorry.
At a minimum:
- Backup your data in advance
- Fully patched
- Full disk encryption
- Firewall enabled
- Use a VPN & SSL-enabled sites
- Don’t click past SSL warnings
Other possible considerations:
- Don’t bring sensitive data at all
- Use a different hard drive
- Use a different device
Picking your devices
What electronics you want to bring will depend on what you want to do. Some
activities will require a laptop: CTFs, Capture the Packet, Badge Hacking (most
likely). If you want to participate in these or something similar, you’ll want
to bring a laptop. Otherwise, I’d encourage you to leave the laptop at home, or
at least in your hotel room. (Being mindful, of course, of theft and evil maid
It’s obviously hard to go without a cell phone, but you may want to consider
using a different phone from usual, for several reasons. This would give you
the option to give out a number to arrange parties, events, etc., but not have
them have your permanent contact information (as can various services) but also
protects you against attacks on your devices. (There have been a lot of 3g/4g
and mobile attacks lately, so it makes sense to pay attention there.)
Other things to Bring
- Cash: DEF CON tickets are cash-only, and you might want cash for cabs, drinks,
etc. I’d recommend against using the ATMs in the immediate vicinty of the
cons – you never know who’s found an 0-day or brought a skimmer!
- Notepad and pen: old fashioned note taking is sometimes the best.
There’s a lot of things to do in this week, and I’d like to focus on 3 principle
ideas to help in choosing what to do:
- Don’t try to do it all – you just can’t
- Be active, not passive
- Try new things
Obviously, these conferences are best known for their talks and presentations,
but I don’t actually consider those the most important reason for attending.
I’ll attend a few talks, but since they’re nearly all recorded, I can always see
the talks later. Attend talks that are of personal interest, but don’t force
yourself to sit in the audience of a talk every hour – that’s being passive,
and you won’t get as much out of things.
DEF CON hosts a number of villages each year, housing various demonstrations and
activities, including the Lockpicking Village, Wireless Village, Packet
Capture Village, and Tamper Evident Village. Each one will have talks and
activities focusing on that particular aspect of “hacking”, and are great
opportunities to learn something new from people who are extremely passionate
about their niche. Some of the things you can try doing:
- Analysis of packets from the network
- Pick locks
- Try to open tamper-evident containers without leaving a trace
- Hunt for hidden wireless devices
The content from the villages is often not available anywhere else, so if you
see a topic that you’re interested in, you should definitely pay them a visit.
It’s probably not a secret that there are parties in Las Vegas during this week.
Many of these are great opportunities to get to know other security
professionals and enthusiasts, discover what people are working on, and
generally network. You never know when you might meet your next coworker. :)
I hope this has been helpful in your Hacker Summer Camp planning. Got a
question? Check out /r/defcon or I’m
@Matir on twitter.