A couple of coworkers who have never been to DEF CON,
BSides Las Vegas or Black
Hat (collectively, “Hacker Summer Camp”)
asked me about planning their first trips, so I decided to collect my tips here.
I’m going to be splitting my advice into two parts: this planning guide for
travel/scheduling/registration information, and a
Hacker Summer Camp survival guide for advice that’s more relevant while you’re
at the conferences.
Manage Your Energy
There’s a lot to do, the hours tend to be long, and unless you’re used to both
the environment (typically hot, this is Las Vegas in August!) and the crowds,
it’s going to burn a lot more energy than you’re going to expect. Two years
ago, I attended all 3 of the conferences, helped run a company suite, and taught
classes at R00tz (formerly DEF CON Kids). This was a serious mistake on my
part, and failure to manage my energy adequately. I ended up not getting as
much out of any of the events as I should have, and when I returned, I ended up
sick for several days due to the toll of these events on my body. It was more
than a full week afterwards before I felt fully recovered.
If this is your first time, don’t try to do everything. Firstly, it’s just not
possible, and secondly, you will destroy yourself trying to do so. Prioritize,
and make yourself okay with the fact that some things you’ll just miss out on.
For myself, the most important parts of the week are:
- Activities – I learn more by doing than by listening to some speaker try
to tell you what he did in 45 minutes. I typically play in the BSides LV CTF
and Capture the Packet at DEF CON. Others might find the DEF CON Shoot to
their liking. (I’d probably like it too, but always end up busy on Thursday.)
- Villages – Villages are a set of topical/related presentations and
activities that are presented by people who are very into the particular
topic. I’ll usually visit the tamper-evident village, lockpicking village,
wireless village, and whatever is new. If you’ve never tried picking a lock,
it’s really interesting just to see how the process goes, and the guys in the
lockpicking village can tell you anything you wanted to know about any lock.
- Networking – One of the most important aspects of DEF CON is networking,
and it’s not just about lining up your next job. This industry is full of
back-channel connections that help you get information, securely report a
vulnerability, or help you find a solution to a problem. You’ll find out
things that aren’t publicly known, learn who to talk to about esoteric
technology, and generally meet some great people.
- Talks – Talks are good and are obviously a core part of all of the
conferences, but to me, they take a back seat to the above categories. This
isn’t because I don’t like the talks (I do!) but because the other categories
require your in-person presence and participation. Unless you want to ask the
presenter a question, the talk won’t be recorded, or you really want to know
about it before the recording becomes available, being there in person adds
very little to the value of a talk.
- Parties – Rumor has it that DEF CON, Black Hat, and BSides may also have
parties. These rumors are completely unfounded. There is absolutely no
partying, live music, alcohol consumption, or any other fun to be had in Las
Vegas during these events.
Scheduling
Black Hat Briefings are Wednesday and Thursday, with trainings either
Saturday-Sunday or Monday-Tuesday (or sometimes covering both for bigger
trainings). BSides LV is Tuesday and Wednesday, with a pretty full schedule
both days. DEF CON is Thursday-Sunday, but Thursday doesn’t really get
started until the afternoon (and even then, the villages have not historically
been open), and things start to wind down a little bit Sunday afternoon, so
Friday and Saturday are the “core” for DEF CON.
1 Conference, 2 Conferences, 3 Conferences?
So which conferences do you want to go to? Well, that really depends on what
you’re looking for. I strongly suggest not trying to do all 3: you’ll end up
just half-doing all 3. (This is borne out by personal experience.) Here’s what
I see as the tradeoffs:
Common Elements
All 3 conferences have excellent technical content, and many of the
presentations will be at more than one conference. Many of the attendees will
be at more than one as well, so you’ll be running in to the same people
throughout the week.
DEF CON
DEF CON is, by far, the biggest of the 3 conferences – reportedly somewhere
around 14,000 attendees. It has the most hands-on activities with the villages,
and most of the parties (oh wait, what happens in Vegas stays in Vegas…). DEF
CON is somewhere between casual and chaotic, and is, of course, the conference
that started the whole week of Hacker Summer Camp 24 years ago. For me, DEF CON
is the “can’t miss” part of the week, as it has the most learning opportunities,
most social networking opportunities, and most of the people I look to catch up
with will be at DEF CON. The Vendor area at DEF CON is not a trade show – it’s
suppliers who will sell you tools, books, parts, lockpicks, t-shirts, and other
things for the individual to use, rather than a “turnkey enterprise solution.”
Black Hat
Black Hat is the business side of the week. If you’re most comfortable in a
shirt and khakis, then this might be the conference for you. If you need a
large trade show-esque vendor area, they have it. The talks remain
high-quality, but it’s definitely got the feeling of corporate-run,
enterprise-focused, and very little “community.” It’s also worth noting that
Black Hat is an order of magnitude more expensive than DEF CON, so that may
influence your choices.
BSides Las Vegas
BSides LV started as the “B-Side” to Black Hat: an opportunity for smaller
presenters, attendees without the budget for Black Hat, and more. It’s grown
into a network of regional conferences, and has expanded to a number of tracks
of talks in Las Vegas. Most interestingly, they have a track dedicated to first
time speakers, so you can get to meet some up and coming presenters and support
those new to the scene. BSides is the most calm and laid-back of the 3
conferences, and a very casual environment. BSides is also the cheapest ($25
last year, if I recall correctly) and held at a hotel with dirt-cheap room rates
($49/night or so), so is clearly a way for a hacker on a budget to enjoy hacker
summer camp. (They also offer a shuttle between the BSides hotel and DEF CON,
so you can enjoy their low room rate all week!)
Travel
I’m told driving to DEF CON can be a great deal of fun when done with the right
people, but I haven’t managed to do so myself. I imagine doing it yourself
isn’t much fun. Do keep in mind that you’ll be driving through the desert, so a
reliable vehicle is a must, and bring water, just in case.
Las Vegas, as a center of tourist travel, has relatively convenient air travel
options from pretty much anywhere. From the SF Bay Area, there’s several direct
flights a day from any of the 3 local airports, and on several airlines, and
it’s just over an hour gate-to-gate. Keep an eye on airfare early and look for
deals – booking early can easily save more than $100 on airfare. When
planning, particularly for your departure from Las Vegas, please keep in mind
that DEF CON travelers on Sunday evening are numerous enough to cause significant delay
at airport check-in and security, so allow extra time.
Hotel
There’s two schools of thought on hotel: stay at the conference hotel (for one
of the conferences, if doing more than one), or stay away from the conference
hotel. I personally prefer the DEF CON hotel (i.e., Bally’s or Paris for DEF
CON 24), but I’ll review the pros/cons of each so you can make up your own mind:
Staying at the Conference Hotel
- (Pro) You can easily get back to your hotel room after evening “social
activities”.
- (Pro) It’s easy to dump stuff in your room so you don’t have to carry
everything around. (This can be somewhat mitigated if you have a friend
staying there.)
- (Pro) It’s fun to meet random people from the con around the hotel.
- (Pro) Usually, DEF CON sets up “DEF CON TV” to the rooms in the DEF CON
hotels, which will live stream the talks, so if there’s one you really want to
see but the room is slammed, you can watch it from your room. (Or you can
hang out with some new friends, drink a couple of beers, and watch talks from
your room.)
- (Con) Everywhere at the hotel will be busy. Everywhere. Every bar,
restaurant, and shop, will be slammed at all hours. Seriously.
Staying Elsewhere
- (Pro) You get a break by getting away from the conference. This can be a
good option for introverts. (Though I personally find going to my room enough
for that – I usually need to do so about once per day to mentally recharge.)
- (Pro) You can often find much better deals off site, especially if you
start looking early. DEF CON even has room block that is close by, but not
Paris/Bally’s, and is generally cheaper than those hotels.
- (Pro) Food options will be much less busy than at the conference hotel.
- (Con) You’ll need to get back and forth to the conference, which may
negate some of the potential savings. (You may think you can walk, but
temperatures during this week often exceed 100°F (38°C))
Other Things to Be Aware Of
- As of DEF CON 24, registration is $240, cash only at the door. Since DEF CON
20, pricing has fairly consistently been ($year * $10) – so $200 at DC 20,
$220 at DC 22, $230 at DC 23, and this year will be $240 for DC 24.
While historically, there have been crazy waits for badges,
registration got much better with DEF CON 23.
- Currently, even numbered years get electronic badges, and odd numbered years
get non-electronic badges. The electronic badges tend to run out, so you may
want to make sure you get a badge on Thursday (they’re usually good through
Thursday) if that’s important to you.
- International travelers: Las Vegas basically runs on tips. Nearly everyone
expects to be tipped.
- Be an active participant. I’ve personally spent too much time not
participating: not talking, not engaging, not doing. You won’t get the most
out of this week by being a wallflower.
Resources
There are a lot of resources for finding out more about what’s going on.
Obviously, the conference websites are your first stop, but as DEF CON is a
large community event, there’s also more opportunities out there:
Conclusion
I hope this proves helpful to those new to DEF CON. Get out there, meet people,
and have fun. If you’re a seasoned veteran and see some suggestions I’ve
missed, please email me or find me on twitter:
@matir with your suggestion and I’ll add it.
Thanks to the @dc404 group for some of the
additions and suggestions!